AWS Certified SysOps Administrator – Associate (legacy) — Question 889

A SysOps Administrator is deploying a legacy web application on AWS. The application has four Amazon EC2 instances behind a Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application code is no longer available to update.
What cost-effective configuration change should the Administrator make to mitigate the risk of SQL injection attacks?

Answer options

• A. Configure Amazon GuardDuty to monitor the application for SQL injection threats.
• B. Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks.
• C. Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF on the Application Load Balancer.
• D. Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe to AWS Shield Standard.

Correct answer: B

Explanation

Integrating AWS WAF directly with the existing Classic Load Balancer is the most cost-effective way to block SQL injection attacks without requiring infrastructure changes. While migrating to an Application Load Balancer is a viable alternative, it incurs additional configuration and migration overhead. Amazon GuardDuty is a threat detection service rather than a prevention tool, and AWS Shield Standard focuses on DDoS mitigation rather than application-layer SQL injection protection.