AWS Certified Solutions Architect – Associate (SAA-C03) — Question 691

A company has deployed its application on Amazon EC2 instances with an Amazon RDS database. The company used the principle of least privilege to configure the database access credentials. The company's security team wants to protect the application and the database from SQL injection and other web-based attacks.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Use security groups and network ACLs to secure the database and application servers.
• B. Use AWS WAF to protect the application. Use RDS parameter groups to configure the security settings.
• C. Use AWS Network Firewall to protect the application and the database.
• D. Use different database accounts in the application code for different functions. Avoid granting excessive privileges to the database users.

Correct answer: B

Explanation

AWS WAF is designed to protect web applications from common web exploits such as SQL injection with minimal operational overhead. Combining AWS WAF with RDS parameter groups allows the security team to easily manage database-level security configurations. Other options, such as security groups, network ACLs, or AWS Network Firewall, operate at the network layers and cannot inspect application-layer SQL injection attacks as effectively as AWS WAF.