SOA-C03 Question #11: Real Exam Question with Answer & Explanation

Question

A company deploys an application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The company wants to protect the application from SQL injection attacks. Which solution will meet this requirement?

Options

• ADeploy AWS Shield Advanced in front of the ALB. Enable SQL injection filtering.
• BDeploy AWS Shield Standard in front of the ALB. Enable SQL injection filtering.
• CDeploy a vulnerability scanner on each EC2 instance. Continuously scan the application code.
• DDeploy AWS WAF in front of the ALB. Subscribe to an AWS Managed Rule for SQL injection

Explanation

Explanation

AWS WAF (Web Application Firewall) is specifically designed to protect web applications from common exploits like SQL injection and cross-site scripting (XSS) by inspecting HTTP/HTTPS requests before they reach your application. Deploying WAF in front of the ALB with AWS Managed Rules for SQL injection provides a purpose-built, managed ruleset that automatically detects and blocks malicious SQL patterns without requiring custom rule development.

Why the distractors are wrong:

• Options A & B (AWS Shield) are designed to protect against DDoS (Distributed Denial of Service) attacks, not application-layer threats like SQL injection - Shield has no SQL injection filtering capability, making these options entirely fictional features.
• Option C (vulnerability scanner on EC2) is a reactive, code-analysis approach that scans for vulnerabilities but does not actively block incoming SQL injection attacks in real time.

💡 Memory Tip: Think of it this way - Shield = DDoS protection, WAF = Web application attacks (SQL injection, XSS). When you see "SQL injection" or "cross-site scripting" on the exam, WAF is almost always the answer. Also remember WAF integrates directly with ALB, CloudFront, and API Gateway, making it the natural fit for this architecture.

No community discussion yet for this question.