Q91 — AWS SCS-C02 Ch.1
Question 91 of 100 | ← Chapter 1
A company has a new web-based account management system for an online game.Players create a unique username and password to log in to the system. The company has implemented an AWS WAF web ACL for the system.The web ACL includes the core rule set(CRS) AWS managed rule group on the Application Load Balancer that serves the system. The company's security team finds that the system was the target of a credential stufing attack. Credentials that were exposed in other breaches were used to try to log in to the system. The security team must implement a solution to reduce the chance of a successful credential stuffing attackin the future.The solution also must minimize impact on legitimate users of the system. Which combination of actionswill meet these requirements?(Choose two.)
- A. Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address. ✓
- B. Add the account takeover prevention (ATP)AWS managed rule group to the web ACL.Configure the rule group to inspect login requests| to the system.Block any requests that have the awswaf:managed:aws:atp:signal:credential_compromised label. ✓
- C. Configure a default web ACL action that requires all users to solve a CAPTCHA puzzle when they log in.
- D. Implement IP-based match rules in the web ACL for any IP addresses that generate many successful ogin responses.Block any IP addresses that generate many successful logins.
- E. Create a custom block response that redirects usersto a secure workflow to reset their password inside the system.
Correct Answer: A. Create an Amazon CloudWatch custom metric to analyze the number of successful login responses from a single IP address., B. Add the account takeover prevention (ATP)AWS managed rule group to the web ACL.Configure the rule group to inspect login requests| to the system.Block any requests that have the awswaf:managed:aws:atp:signal:credential_compromised label.
Explanation
AWS WAF的凭证填充攻击防御涉及检测异常登录行为和利用托管规则组。AWS文档提到,ATP规则组通过分析威胁情报识别泄露凭证,并阻止相关请求。选项A的CloudWatch自定义指标监控单一IP成功登录次数,有助于识别异常模式;选项B的ATP规则组直接拦截已知泄露凭证的请求。两者协同在不干扰正常用户的前提下提升安全性。选项C的CAPTCHA影响用户体验;选项D的IP封锁易误伤合法用户;选项E的密码重置流程未直接阻止攻击。