SCS-C03 · Question #55
SCS-C03 Question #55: Real Exam Question with Answer & Explanation
The correct answer is D: Use a string match rule statement on the user agent.. AWS WAF Rule Statement Explanation Using a string match rule statement on the user agent (D) is correct because the attack originates from a specific IoT device brand with a unique, identifiable user agent string. AWS WAF can inspect HTTP headers - including the User-Agent - and
Question
A company hosts its public website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website is experiencing a global DDoS attack from a specific IoT device brand that uses a unique user agent. A security engineer is creating an AWS WAF web ACL and will associate it with the ALB. Which rule statement will mitigate the current attack and future attacks from these IoT devices without blocking legitimate customers?
Options
- AUse an IP set match rule statement.
- BUse a geographic match rule statement.
- CUse a rate-based rule statement.
- DUse a string match rule statement on the user agent.
Explanation
AWS WAF Rule Statement Explanation
Using a string match rule statement on the user agent (D) is correct because the attack originates from a specific IoT device brand with a unique, identifiable user agent string. AWS WAF can inspect HTTP headers - including the User-Agent - and block requests that match that specific string, precisely targeting malicious devices while allowing legitimate customers with different user agents to pass through unaffected.
Why the distractors are wrong:
- A (IP set match): DDoS attacks typically originate from thousands of distributed IP addresses, making IP blocking impractical and constantly reactive - you'd never keep up with the changing IPs.
- B (Geographic match): IoT devices in this attack are globally distributed, so blocking by country would harm legitimate international customers without fully stopping the attack.
- C (Rate-based rule): While useful for throttling, rate-based rules don't specifically target the IoT brand - they would eventually block high-volume legitimate users too, causing collateral damage.
💡 Memory Tip: Think "fingerprint the attacker." When attackers have a unique identifier (like a distinctive user agent), match on that exact fingerprint. User agents are like name tags - if a specific device brand always wears the same name tag, WAF can spot and block it every time.
Topics
Community Discussion
No community discussion yet for this question.