SAP-C02 第 159 题
题目
A company has a website that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL. The website often encounters attacks in the application layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks. Which solution will meet these requirements with the LEAST operational overhead?
中文翻译:
一家公司有一个在应用程序负载均衡器 (ALB) 后面的 Amazon EC2 实例上运行的网站。这些实例位于 Auto Scaling 组中。 ALB 与 AWS WAF Web ACL 关联。网站经常遭遇应用层攻击。这些攻击会导致应用程序服务器上的流量突然显着增加。访问日志显示,每次攻击都源自不同的IP地址。解决方案架构师需要实施一个解决方案来减轻这些攻击。哪种解决方案能够以最少的运营开销满足这些要求?
选项
A. Create an Amazon CloudWatch alarm that monitors server access. Set a threshold based on access by IP address. Configure an alarm action that adds the IP address to the web ACL’s deny list.
中文翻译:
创建监控服务器访问的 Amazon CloudWatch 警报。根据IP地址的访问设置阈值。配置警报操作,将 IP 地址添加到 Web ACL 的拒绝列表中。
B. Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.
中文翻译:
除了 AWS WAF 之外,还部署 AWS Shield Advanced。将 ALB 添加为受保护资源。
C. Create an Amazon CloudWatch alarm that monitors user IP addresses. Set a threshold based on access by IP address. Configure the alarm to invoke an AWS Lambda function to add a deny rule in the application server’s subnet route table for any IP addresses that activate the alarm.
中文翻译:
创建监控用户 IP 地址的 Amazon CloudWatch 警报。根据IP地址的访问设置阈值。配置警报以调用 AWS Lambda 函数,以在应用程序服务器的子网路由表中为激活警报的任何 IP 地址添加拒绝规则。
D. Inspect access logs to find a pattern of IP addresses that launched the attacks. Use an Amazon Route 53 geolocation routing policy to deny traffic from the countries that host those IP addresses.
中文翻译:
检查访问日志以查找发起攻击的 IP 地址模式。使用 Amazon Route 53 地理位置路由策略拒绝来自托管这些 IP 地址的国家/地区的流量。
答案
B
解析
正确答案:B 解析: 本题应选择 B。 正确选项: B. 除了 AWS WAF 之外,还部署 AWS Shield Advanced。将 ALB 添加为受保护资源。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/RPO、合规要求等。本题相关考点主要包括:Route 53、Lambda、EC2、EBS、Clou...