SAP-C02 第 183 题
题目
A company’s public API runs as tasks on Amazon Elastic Container Service (Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months. Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount. A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency. Which solution meets these requirements?
中文翻译:
公司的公共 API 作为任务在 Amazon Elastic Container Service (Amazon ECS) 上运行。这些任务在应用程序负载均衡器 (ALB) 后面的 AWS Fargate 上运行,并根据 CPU 利用率为任务配置了 Service Auto Scaling。这项服务已经运行良好几个月了。最近,API 性能下降并导致应用程序无法使用。该公司发现该 API 发生了大量 SQL 注入攻击,并且 API 服务已扩展到最大数量。解决方案架构师需要实现一个解决方案,防止 SQL 注入攻击到达 ECS API 服务。该解决方案必须允许合法流量通过,并且必须最大限度地提高运营效率。哪种解决方案满足这些要求?
选项
A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks.
中文翻译:
创建新的 AWS WAF Web ACL 以监控在 ECS 任务之前转发到 ALB 的 HTTP 请求和 HTTPS 请求。
B. Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks.
中文翻译:
创建新的 AWS WAF 机器人控制实施。在 AWS WAF Bot Control 托管规则组中添加规则以监控流量并仅允许合法流量流向 ECS 任务之前的 ALB。
C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.
中文翻译:
创建新的 AWS WAF Web ACL。添加一条新规则,阻止与 SQL 数据库规则组匹配的请求。设置 Web ACL 以允许与这些规则不匹配的所有其他流量。将 Web ACL 附加到 ECS 任务前面的 ALB。
D. Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP set. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP set. Attach the web ACL to the ALB in front of the ECS tasks.
中文翻译:
创建新的 AWS WAF Web ACL。在 AWS WAF 中创建新的空 IP 集。向 Web ACL 添加新规则以阻止源自新 IP 集中 IP 地址的请求。创建一个 AWS Lambda 函数,用于抓取发送 SQL 注入攻击的 IP 地址的 API 日志,并将这些 IP 地址添加到 IP 集中。将 Web ACL 附加到 ECS 任务前面的 ALB。
答案
C
解析
正确答案:C 解析: 本题应选择 C。 正确选项: C. 创建新的 AWS WAF Web ACL。添加一条新规则,阻止与 SQL 数据库规则组匹配的请求。设置 Web ACL 以允许与这些规则不匹配的所有其他流量。将 Web ACL 附加到 ECS 任务前面的 ALB。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性...