AWS Certified Solutions Architect - Associate

Explanation

Correct Answer: D

Why Option D is correct:

1. AWS WAF (Web Application Firewall) is specifically designed to protect web applications and APIs from common web exploits like SQL injection and cross-site scripting (XSS) attacks.
2. CloudFront integration with API Gateway provides an additional layer of protection and allows you to apply AWS WAF at the edge location, which is operationally efficient.
3. Operational efficiency is achieved because:
   • AWS WAF rules can be easily configured and managed
   • CloudFront provides caching and DDoS protection
   • The solution protects at the edge before requests reach API Gateway
   • AWS WAF has pre-configured rules for SQL injection and XSS attacks

Why other options are incorrect:

A. Configure AWS Shield:

• AWS Shield is primarily for DDoS protection, not for SQL injection or XSS attacks
• It doesn't provide the specific web application firewall capabilities needed

B. Configure AWS WAF:

• While AWS WAF can protect against SQL injection and XSS, it's more operationally efficient to deploy it with CloudFront
• Deploying WAF directly on API Gateway without CloudFront is possible but less efficient

C. Set up API Gateway with CloudFront + AWS Shield:

• AWS Shield doesn't protect against SQL injection or XSS attacks
• This solution adds DDoS protection but not the specific web application security needed

Key AWS Services:

• AWS WAF: Protects web applications from common web exploits
• CloudFront: Content delivery network that can integrate with AWS WAF at edge locations
• API Gateway: Managed service for creating, publishing, maintaining, monitoring, and securing APIs

Best Practice: For protecting APIs from web exploits, the most operationally efficient approach is to use CloudFront as a front-end with AWS WAF enabled, which provides edge security and caching benefits.