AWS Certified Security – Specialty (SCS-C03) — Question 22

A company has a platform that is divided into 12 AWS accounts under the same organization in AWS Organizations. Many of these accounts use Amazon API Gateway to expose APIs to the company's frontend applications. The company needs to protect the ousting APIs and any resources that will be deployed in the future against common SQL injection and bot attacks.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create an AWS WAF web ACL for each API. Include managed rules to block SQL injection and bot attacks. Use AWS Config to detect new resources that do not have a web ACL. Configure a remediation action to provision a web ACL for these resources.
• B. Use AWS Firewall Manager to create an AWS WAF policy. Configure the policy to include the AWS Bot Control and SQL database managed rule groups. Set the policy scope to include the API Gateway stage as the resource type.
• C. Create an AWS Service Catalog product for an AWS WAF web ACL that includes rules to block SQL injection and bot attacks. Use AWS Config to detect new resources that do not have this product applied. Configure a remediation action to provision a web ACL for these resources.
• D. Use AWS Security Hub to detect unprotected resources and to send the findings as custom action events to Amazon EventBridge. Create an AWS Lambda function for these events to provision an AWS WAF web ACL for the unprotected resources. Include managed rules to block SQL injection and bot attacks.

Correct answer: B

Explanation

The correct answer is B because AWS Firewall Manager allows centralized management of AWS WAF policies across multiple accounts, significantly reducing operational overhead by automating the enforcement of security rules. Option A, while effective, requires managing separate web ACLs for each API, which is less efficient. Option C involves creating a new product and remediation process, adding unnecessary complexity, and option D relies on additional components like AWS Security Hub and Lambda, increasing operational overhead.