Question #1751
A company hosts its web application on Amazon EC2 instances with an Amazon Aurora database. They followed the principle of least privilege for database credentials. The security team needs to safeguard the application from SQL injection and other web-based threats while minimizing management effort.
Which solution meets these requirements with the LEAST operational overhead?
Configure security groups and NACLs to restrict access to the application and database.
Deploy AWS WAF to protect the application and use Aurora parameter groups to enforce security settings.
Implement AWS Shield Advanced for DDoS protection and use IAM policies to control database access.
Utilize separate database roles in the application code for each function, limiting privileges strictly.
Explanation
Answer B is correct because:
- AWS WAF directly addresses SQL injection and web-based threats by inspecting and filtering malicious HTTP(S) traffic using managed rules, requiring minimal setup.
- Aurora parameter groups enforce security configurations (e.g., SSL enforcement) at the database level with minimal effort.
Other options are incorrect because:
- A: Security groups/NACLs control network access but do not inspect application-layer content (e.g., SQL injection).
- C: Shield Advanced focuses on DDoS protection, not SQL injection, and IAM policies do not prevent application-layer attacks.
- D: Using separate roles adds operational complexity and does not prevent SQL injection.
Key Points: AWS WAF is purpose-built for web threats; parameter groups simplify database security. Minimizing effort rules out manual code/role management (D) and network controls (A).
Answer
The correct answer is: B