SCS-C02 Question #255: Real Exam Question with Answer & Explanation

Question

A company is running its application on AWS Malicious users exploited a recent promotion event and created many fake accounts The application currently uses Amazon CloudFront in front of an Amazon API Gateway API. AWS Lambda functions serve the different API endpoints. The GET registration endpoint is behind the path of /store/registration. The URI for submission of the new account details is at /store/newaccount. A security engineer needs to design a solution that prevents similar exploitations for future promotion events. Which combination of steps will meet these requirements? (Choose two.)

Options

• ACreate an AWS WAF web ACL. Add the AWSManagedRulesACFPRuleSet rule group to the web
• BCreate an AWS WAF web ACL. Add a rate limit rule to the web ACL. Include a
• CSpecify /store/registration as the registration page path Specify /store/newaccount as the account
• DEnable AWS Shield Advanced for the account that hosts the CloudFront distribution Configure a
• EEnable Amazon GuardOuty for the account that hosts the CloudFront distribution. Enable

Explanation

Adding the AWSManagedRulesACFPRuleSet rule group to an AWS WAF web ACL will provide managed protection against common attacks such as SQL injection, cross-site scripting (XSS), and others that could be used to exploit vulnerabilities during events like a promotion. Associating this web ACL with the CloudFront distribution will apply the rules to incoming traffic before it reaches the API Gateway. Implementing a rate-limiting rule with a RateBasedStatement in AWS WAF helps prevent brute force attacks, such as excessive requests to the / store/registration endpoint. By setting a rate limit, you can mitigate the impact of malicious users creating fake accounts by controlling the number of requests that can be made within a specific time frame.

No community discussion yet for this question.