AWS Certified Solutions Architect – Associate (SAA-C03) — Question 969

A media company hosts its website on AWS. The website application’s architecture includes a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) and a database that is hosted on Amazon Aurora. The company’s cybersecurity team reports that the application is vulnerable to SQL injection.

How should the company resolve this issue?

Answer options

• A. Use AWS WAF in front of the ALB. Associate the appropriate web ACLs with AWS WAF.
• B. Create an ALB listener rule to reply to SQL injections with a fixed response.
• C. Subscribe to AWS Shield Advanced to block all SQL injection attempts automatically.
• D. Set up Amazon Inspector to block all SQL injection attempts automatically.

Correct answer: A

Explanation

AWS WAF can be associated with an Application Load Balancer to inspect HTTP/HTTPS requests and block SQL injection attacks using web ACLs. Amazon Inspector is a security assessment service that scans for vulnerabilities but does not block active attacks, while AWS Shield Advanced is primarily designed for DDoS protection. ALB listener rules lack the deep packet inspection capabilities required to detect and filter complex SQL injection payloads.