Key Requirements:
Protect public endpoints (CloudFront distributions and ALBs) frommalicious attacks.
Centralizedmanagementacross multiple accounts in an organization.
Ability tomonitor security configurationseffectively.
Minimizeoperational overhead.
Analysis of Options
Option A:
AWS WAF:Protects web applications by filtering and blocking malicious requests. Rules can be applied to both ALBs and CloudFront distributions.
AWS Firewall Manager:Enables centralized management of WAF rules across multiple accounts in an AWS Organizations organization. It simplifies rule deployment, avoiding the need to configure rules individually in each account.
AWS Config:Monitors compliance by using rules that check Regional and global WAF configurations. Ensures that security configurations align with organizational policies.
Operational Overhead:Centralized management and automated monitoring reduce the operational burden.
Correct Approach:Meets all requirements with the least overhead.
Option B:
This approach involves applying WAF rules in each account manually.
While AWS Config and AWS Security Hub provide monitoring capabilities, managing individual WAF configurations in multiple accounts introduces significant operational overhead.
Incorrect Approach:Higher overhead compared to centralized management with AWS Firewall Manager.
Option C:
Similar to Option A but includesAmazon Inspector, which is not designed for monitoring WAF configurations.
AWS Security Hubis appropriate for monitoring but is redundant when Firewall Manager and Config are already in use.
Incorrect Approach:Adds unnecessary complexity and does not focus on monitoring WAF specifically.
Option D:
AWS Shield Advanced:Focuses on mitigating large-scale DDoS attacks but does not provide the fine-grained web application protection offered by WAF.
AWS Config:Can monitor Shield Advanced configurations but does not fulfill the WAF monitoring requirements.
Incorrect Approach:Does not address the need for WAF or centralized rule management.
Why Option A is Correct
Protection:
AWS WAF provides fine-grained filtering and protection against SQL injection, cross-site scripting, and other web vulnerabilities.
Rules can be applied at both ALBs and CloudFront distributions, covering all public endpoints.
Centralized Management:
AWS Firewall Manager enables security teams to centrally define and manage WAF rules across all accounts in the organization.
Monitoring:
AWS Config ensures compliance with WAF configurations by checking rules and generating alerts for misconfigurations.
Operational Overhead:
Centralized management via Firewall Manager and automated compliance monitoring via AWS Config greatly reduce manual effort.
AWS Solution Architect References
AWS WAF Documentation
AWS Firewall Manager Documentation
AWS Config Best Practices
AWS Organizations Documentation
