AWS Certified Security – Specialty (SCS-C02) — Question 293
A company is running its application on AWS. Malicious users exploited a recent promotion event and created many fake accounts.
The application currently uses Amazon CloudFront in front of an Amazon API Gateway API. AWS Lambda functions serve the different API endpoints. The GET registration endpoint is behind the path of /store/registration. The URI for submission of the new account details is at /store/newaccount.
A security engineer needs to design a solution that prevents similar exploitations for future promotion events.
Which combination of steps will meet these requirements? (Choose two.)
Answer options
- A. Create an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web ACL. Associate the web ACL with the CloudFront distribution.
- B. Create an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a RateBasedStatement entry that has a SearchString value that points to /store/registration.
- C. Specify /store/registration as the registration page path. Specify /store/newaccount as the account creation path.
- D. Enable AWS Shield Advanced for the account that hosts the CloudFront distribution. Configure a DNS-specific custom mitigation that uses the Shield Response Team (SRT) for /store/newaccount.
- E. Enable Amazon GuardDuty for the account that hosts the CloudFront distribution. Enable Lambda Protection for the Lambda functions that answer calls to /store/registration and /store/newaccount.
Correct answer: A, B
Explanation
AWS WAF's Account Creation Fraud Prevention (ACFP) rule group (AWSManagedRulesACFPRuleSet) is specifically designed to detect and block fake account creation attempts by analyzing request patterns and credentials at the CloudFront level. Additionally, implementing an AWS WAF rate-limiting rule targeting the registration path (/store/registration) helps mitigate automated, high-volume bot traffic attempting to abuse the signup flow. Other options like Shield Advanced DNS mitigation or GuardDuty Lambda Protection are detective or DDoS-focused and do not natively prevent application-level account creation fraud.