AWS Certified Solutions Architect – Associate (SAA-C02) — Question 672

A global company is using Amazon API Gateway to design REST APIs for its loyalty club users in the us-east-1 Region and the ap-southeast-2 Region. A solutions architect must design a solution to protect these API Gateway managed REST APIs across multiple accounts from SQL injection and cross-site scripting attacks.
Which solution will meet these requirements with the LEAST amount of administrative effort?

Answer options

• A. Set up AWS WAF in both Regions, Associate Regional web ACLs with an API stage.
• B. Set up AWS Firewall Manager in both Regions. Centrally configure AWS WAF rules.
• C. Set up AWS Shield in both Regions. Associate Regional web ACLs with an API stage.
• D. Set up AWS Shield in one of the Regions. Associate Regional web ACLs with an API stage.

Correct answer: B

Explanation

AWS Firewall Manager simplifies the administration of security rules across multiple AWS accounts and regions by allowing administrators to centrally configure and deploy AWS WAF policies. While AWS WAF is the correct service to protect against SQL injection and cross-site scripting (XSS) attacks, manually configuring it in each individual account and region would require significant administrative effort. AWS Shield is designed for DDoS protection rather than application-layer filtering like SQL injection or XSS mitigation.