AWS Certified Security – Specialty — Question 2

The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?

Answer options

• A. Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
• B. Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
• C. Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
• D. Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.

Correct answer: D

Explanation

The correct answer is D because AWS WAF is specifically designed to protect web applications from common exploits by filtering incoming traffic. Using a third-party AWS Marketplace solution to restrict outgoing traffic ensures that only whitelisted URLs are accessed, meeting the compliance requirements. Options A and B use AWS Shield, which does not provide the necessary web application firewall capabilities, while option C uses VPC Flow Logs, which are not effective for active egress traffic control.