Logo
AWS Certified Solutions Architect - Professional / Question #1017 of 529

Question #1017

A company hosts its public API using Amazon API Gateway integrated with AWS Lambda functions. The API serves external clients and partners, who also access a legacy monolithic application running on a single Amazon EC2 instance. The company wants to improve security by preventing denial of service (DoS) attacks, identifying vulnerabilities, and guarding against common web exploits.

What should a solutions architect recommend to address these requirements?

A

Use AWS WAF to protect both the API Gateway API and the legacy application. Configure Amazon Inspector to analyze the EC2 instance. Configure Amazon GuardDuty to block malicious API access attempts.
B

Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to assess both the API Gateway and EC2 instance. Configure Amazon GuardDuty to monitor for malicious activity targeting the APIs.
C

Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze the EC2 instance. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
D

Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to protect the EC2 instance. Configure Amazon GuardDuty to block unauthorized access to both APIs.

Explanation

Option C is correct because:
1. AWS WAF is used to protect the API Gateway API against common web exploits (e.g., SQL injection, cross-site scripting), which aligns with guarding against DoS attacks and web exploits.
2. Amazon Inspector is designed to analyze EC2 instances for vulnerabilities (e.g., security misconfigurations, CVEs), addressing the need to identify vulnerabilities in the legacy application.
3. Amazon GuardDuty monitors for malicious activity (e.g., unusual API calls) but does not block access, making it suitable for detecting threats without direct intervention.

Other options are incorrect because:
- A & D: GuardDuty cannot block malicious attempts; it only monitors and alerts.
- B: Amazon Inspector cannot assess API Gateway, as it is limited to EC2 instances, containers, and container registries.
- A: AWS WAF cannot protect the EC2 instance unless it is behind an ALB/CloudFront, which is not mentioned in the scenario.

Key Points:
- Use AWS WAF for web exploit protection on API Gateway.
- Use Amazon Inspector for vulnerability assessment on EC2.
- Use GuardDuty for monitoring malicious activity (not blocking).

Answer

The correct answer is: C