AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 12

A company’s security team requires that all external Application Load Balancers (ALBs) and Amazon API Gateway APIs are associated with AWS WAF web ACLs. The company has hundreds of AWS accounts, all of which are included in a single organization in AWS Organizations. The company has configured AWS Config for the organization. During an audit, the company finds some externally facing ALBs that are not associated with AWS WAF web ACLs.
Which combination of steps should a DevOps engineer take to prevent future violations? (Choose two.)

Answer options

• A. Delegate AWS Firewall Manager to a security account.
• B. Delegate Amazon GuardDuty to a security account.
• C. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
• D. Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
• E. Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.

Correct answer: A, C

Explanation

Option A is correct as delegating AWS Firewall Manager allows centralized management of WAF policies across accounts. Option C is also correct because creating a policy ensures that any new ALBs and API Gateway APIs automatically comply with the security requirement. The other options do not address the specific need for WAF associations or do not provide the necessary centralized management and automation.