AWS Certified SysOps Administrator – Associate (legacy) — Question 670

A company that hosts a multi-tier ecommerce web application on AWS has been alerted to suspicious application traffic. The architecture consists of Amazon EC2 instances deployed across multiple Availability Zones behind an Application Load Balancer (ALB). After examining the instance logs, a SysOps administrator determines that the suspicious traffic is an attempted SQL injection attack.
What should the SysOps administrator do to prevent similar attacks?

Answer options

• A. Create an Amazon CloudFront distribution with the ALB as the origin. Enable AWS Shield Advanced to protect from SQL injection attacks at edge locations.
• B. Create an AWS WAF web ACL, and configure a SQL injection rule to add to the web ACL. Associate the WAF web ACL with the ALB.
• C. Enable Amazon GuardDuty. Use Amazon EventBridge (Amazon CloudWatch Events) to trigger an AWS Lambda function every time GuardDuty detects SQL injection.
• D. Install Amazon Inspector on the EC2 instances, and configure a rules package. Use the findings reports to identify and block SQL injection attacks.

Correct answer: A

Explanation

AWS Shield Advanced provides comprehensive protection against sophisticated application-layer threats and includes AWS WAF at no additional cost to block attacks like SQL injection. By routing traffic through an Amazon CloudFront distribution with Shield Advanced enabled, the administrator can block SQL injection attempts at edge locations before they reach the ALB. Other tools like Amazon GuardDuty and Amazon Inspector are primarily detective or vulnerability assessment services and do not provide inline, real-time blocking of SQL injection traffic.