Q15 — AWS DOP-C02 Ch.3
Question 15 of 100 | ← Chapter 3
A DevOps engineer uses AWS WAF to manage web ACLs across AWS accounts. The DevOps engineer wants to ensure AWS WAF is enabled for the Application Load Balancer (ALB) serving the application in each account. The DevOps engineer uses an AWS CloudFormation template to deploy a single ALB and AWS WAF as part of each application stack deployment. After deployment, AWS WAF must be automatically added to the ALB. Which solution meets these requirements with the MOST operational efficiency?
- A. Enable AWS Config. Add the managed rule 'alb-waf'. Create an AWS Systems Manager Automation document to associate AWS WAF with the ALB. Edit the rule to enable automatic remediation and select the Systems Manager Automation document as the remediation action. ✓
- B. Enable AWS Config. Add the managed rule 'alb-waf'. Create an Amazon EventBridge rule to send all AWS Config configuration item change notifications to an AWS Lambda function. Configure the Lambda function to call the AWS Config start-resource-evaluation API in detective mode.
- C. Configure an Amazon EventBridge rule to invoke an AWS Lambda function periodically. The Lambda function calls the CloudFormation drift detection API. Configure the Lambda function to modify the ALB property to 'true' if the AWS::WAFv2::WebACLAssociation resource shows drift and 'waf.alb_open.enabled' is enabled.
- D. Configure an Amazon EventBridge rule to invoke an AWS Lambda function periodically. The Lambda function calls the CloudFormation drift detection API. Configure the Lambda function to delete and redeploy the CloudFormation stack if the AWS::WAFv2::WebACLAssociation resource shows drift.
Correct Answer: A. Enable AWS Config. Add the managed rule 'alb-waf'. Create an AWS Systems Manager Automation document to associate AWS WAF with the ALB. Edit the rule to enable automatic remediation and select the Systems Manager Automation document as the remediation action.
Explanation
Managing AWS WAF association with ALB requires continuous monitoring and automated remediation. AWS Config supports managed rules to detect compliance status—for example, verifying whether an ALB is associated with a specified Web ACL. When AWS Config detects noncompliance (e.g., ALB missing WAF association), it can trigger automatic remediation using a Systems Manager Automation document to perform the association. This event-driven, native-service approach ensures timeliness and minimizes operational overhead. Option A defines detection via a managed rule and implements correction via automation with automatic remediation—achieving a closed-loop, efficient solution. Other options rely on polling or custom logic, increasing latency and complexity.