Logo
AWS Certified Solutions Architect - Professional / Question #746 of 529

Question #746

A company hosts a web application using Amazon EC2 instances behind an Application Load Balancer (ALB) in one Availability Zone. The company wants to redesign the architecture to meet the following requirements:

- Inbound traffic must be scanned and blocked for common web-based attacks.
- All blocked requests must be stored in a third-party security monitoring system.
- The solution must be highly available.

Which solution satisfies these requirements?

A

Configure a Multi-AZ Auto Scaling group using the application's AMI. Deploy an ALB with the Auto Scaling group as the target. Use Amazon GuardDuty to detect threats and integrate it with AWS WAF. Enable logging for WAF using Amazon CloudWatch Logs. Use an AWS Lambda function to periodically export CloudWatch Logs to the third-party monitoring system.
B

Set up an ALB with EC2 instances as targets. Create a web ACL in AWS WAF and associate it with the ALB. Enable logging for WAF using Amazon S3. Configure an Amazon EventBridge rule to trigger an AWS Lambda function that forwards logs from S3 to the third-party monitoring system.
C

Deploy an ALB with EC2 instances in a target group. Create an Amazon Kinesis Data Firehose stream pointing to the third-party monitoring system. Configure AWS WAF with a web ACL, associate it with the ALB, and enable logging to the Kinesis stream. Use AWS Managed Rules for WAF but keep the EC2 instances in a single Availability Zone.
D

Configure a Multi-AZ Auto Scaling group using the application's AMI. Deploy an ALB with the Auto Scaling group as the target. Create a web ACL in AWS WAF and associate it with the ALB. Set up an Amazon Kinesis Data Firehose stream to deliver WAF logs to the third-party monitoring system. Enable logging in WAF with Kinesis as the destination and subscribe to AWS Managed Rules.

Explanation

Option D is correct because:
1. High Availability: Multi-AZ Auto Scaling ensures the application runs across multiple Availability Zones.
2. Traffic Scanning/Blocking: AWS WAF with AWS Managed Rules inspects and blocks common web attacks.
3. Log Storage: WAF logs are streamed via Kinesis Data Firehose to the third-party system, ensuring real-time delivery.

Other options fail because:
- A: Relies on GuardDuty (not designed for web attacks) and uses periodic Lambda exports (not real-time).
- B: EC2 instances are not in Multi-AZ, violating HA.
- C: EC2 instances remain in a single AZ, failing HA.

Key Points:
- Use WAF for web attack protection.
- Kinesis Firehose enables real-time log streaming.
- Multi-AZ Auto Scaling ensures HA.

Answer

The correct answer is: D