Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Practice Test + eBook Bundle Sale - Buy our Practice Test and get the supplementary eBook at 50% OFF

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified SysOps Administrator Associate Sysops exam question

  • Sysops exam question

     Jon-Bonso updated 4 years ago 3 Members · 7 Posts
    AWS Certified SysOps Administrator Associate

  • james-john

    Member
    April 26, 2020 at 9:49 am

    Hi all,

    I have had a question I have a query about.

    Category: SOA – Automation and Optimization

    A SysOps Administrator has been instructed to migrate an application from their on-premises data center to AWS. The architecture should be highly available and secure against common web exploits such as cross-site scripting, SQL injection and brute-force HTTP flood attacks.

    Which combination of steps should the administrator implement in order to meet the above requirement? (Choose 2)

    1. Integrate and configure AWS Shield Advanced with the load balancer.

    2. Launch the application to an Auto Scaling group of EC2 instances across multiple Availability Zones with a Network Load Balancer in front to distribute the incoming traffic.

    3. Integrate and configure AWS Firewall Manager to the load balancer.

    4. Launch the application to an Auto Scaling group of EC2 instances across multiple Availability Zones with an Application Load Balancer in front to distribute the incoming traffic.

    5. Integrate and configure AWS WAF with the load balancer.

    I picked 1 & 5 – 1 for the HTTP flood attacks as it is a DDoS type of attack and 5 to filter the application layer attacks.

    1 was marked as correct but 5 was marked as incorrect with this explanation:

    Integrating and configuring AWS Shield Advanced to the load balancer is incorrect because AWS Shield Advanced is more suitable to be used against distributed denial of service (DDoS) attacks but not for common web exploits such as cross-site scripting, SQL injection, and brute-force HTTP flood attacks. The more suitable service to use here is AWS WAF.

    But brute force HTTP attacks are a form of DDoS – why is this not correct?, also why would you let a DDoS attack hit your EC2 instances in the first place? isn’t it better to prevent it from happening using DDoS before it hits your instances in the first place causing it to auto scale?

    Thanks for your help 🙂

  • kung

    Member
    April 26, 2020 at 12:39 pm

    As far as I know for HTTP flood attacks CloudFront is the advised service to use. Refer to the whitepaper ‘AWS Best Practices for DDos Resiliency’ (page 16)
    These features mean that using Amazon CloudFront reduces the number of requests and TCP connections back to your origin which helps protect your web application from HTTP floods”
    And something similar is also mentioned on the Shield Overview page: “    AWS Shield Advanced also protects you against application layer attacks, like HTTP floods.”

    Furthermore I was also a bit confused by the wording ‘Integrate’ in option 1 and 3 and 5, as -at least for shield- it’s ‘just’ a matter of configuring the devices you want to be protected in shield, and nothing more if I read the docs correctly (i.e. no ‘integrate’, which I would assume is something extra besides configuring).

    • james-john

      Member
      April 26, 2020 at 2:54 pm

      Probably an unusual question I suppose, theres loads of conflicting advice about HTTP flood attacks, theres some conflicting advice about http flood attacks too. Wonder if it could go either way? who knows!

    • james-john

      Member
      April 26, 2020 at 2:56 pm

      Not sure why i posted http flood attacks twice haha 😀 I meant HTTP flood attacks and Shield/Cloudfront !

  • Jon-Bonso

    Administrator
    April 26, 2020 at 11:02 pm
    Hi James, Kung,

    Thank you for posting your question. The scenario says: “…secure against common web exploits such as cross-site scripting, SQL injection and brute-force HTTP flood attacks”

    I understand that the last item could also be defined as a DDoS attack. However, please note that you can also protect your application from common brute-force attacks using AWS WAF by creating a Rate-based rule:

    https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-common-attacks/

    https://aws.amazon.com/blogs/aws/protect-web-sites-services-using-rate-based-rules-for-aws-waf/

    Remember that by default, your account comes with AWS Shield Standard that defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. AWS Shield Advanced, on the other hand, provides expanded DDoS attack protection to your AWS services.

    The scenario doesn’t warrant the use of AWS Shield Advanced since the main focus is to secure the application against common web exploits.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

    • james-john

      Member
      April 27, 2020 at 8:17 am

      Ah OK as the question is broken down a bit more I can see 🙂 – One of the techniques picked up from these exams is extracting certain keywords for other questions which has helped a lot, I find its more about how they word the questions not your own capability!

      Much appreciated!

      • Jon-Bonso

        Administrator
        April 29, 2020 at 9:54 am

        You’re welcome!

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now