AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 204

A company has an internal web-based application that employees use. The company hosts the application over a VPN in the company’s on-premises network. The application runs on a fleet of Amazon EC2 instances in a private subnet behind a Network Load Balancer (NLB) in the same subnet. The instances are in an Amazon EC2 Auto Scaling group.

During a recent security incident, SQL injection occurred on the application. A network engineer must implement a solution to prevent SQL injection attacks in the future.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Create an AWS WAF web ACL that includes rules to block SQL injection attacks.
• B. Create an Amazon CloudFront distribution. Specify the EC2 instances as the origin.
• C. Replace the NLB with an Application Load Balancer.
• D. Associate the AWS WAF web ACL with the NLB.
• E. Associate the AWS WAF web ACL with the Application Load Balancer.
• F. Associate the AWS WAF web ACL with the Amazon CloudFront distribution.

Correct answer: A, C, E

Explanation

The correct answer involves creating an AWS WAF web ACL with rules to block SQL injection attacks, replacing the NLB with an Application Load Balancer, and associating the WAF web ACL with the Application Load Balancer to actively filter traffic. Options B, D, and F do not provide adequate protection against SQL injection or do not effectively implement WAF with the correct load balancer type.