Q8 — AWS SAP-C02 Ch.3

Question 8 of 75 | ← Chapter 3

Q233. A company's public API runs as tasks on Amazon Elastic Container Service(Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months. Recently, API performance slowed down and made the application unusable.The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount. A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency Which solution meets these requirements?

Correct Answer: C. Create a new AWS WAF web ACL.Add a new rule that blocks requests that match the SQL database rule group.Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks

Explanation

To prevent SQL injection attacks from reaching the ECS API service, a solutions architect should recommend creating a new AWS WAF (Web Application Firewall) web ACL and adding a rule that blocks requests that match the SQL database rule group. The web ACL should be set to allow all other traffic that does not match those rules, and it should be attached to the ALB in front of the ECS tasks. This approach prevents SQL injection attacks while allowing legitimate traffic through and maximizing operational efficiency. Therefore, option C is the correct answer. Option A suggests creating a new AWS WAF web ACL to monitor HTTP and HTTPS requests forwarded to the ALB. While this might work for monitoring, it does not provide protection against SQL injection attacks. Option B suggests creating a new AWS WAF Bot Control implementation. While this might work for preventing bot traffic, it does not provide protection against SQL injection attacks specifically. Option D suggests using an AWS Lambda function to scrape API logs for IP addresses that send SQL injection attacks and adding those addresses to a block list in an IP set. While this might work, it introduces additional complexity when compared to using a WAF web ACL with a SQL database rule group. Therefore, the best solution is to create a new AWS WAF web ACL, add a rule that blocks requests that match the SQL database rule group, and attach the web ACL to the ALB in front of the ECS tasks. This approach provides protection against SQL injection attacks while allowing legitimate traffic through and maximizing operational efficiency.