Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon SCS-C03 Exam - Topic 5 Question 11 Discussion

A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator. A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application.Which solution will meet these requirements?
C) Create an AWS WAF web ACL for the ALB. Create a custom rule that blocks requests that contain the user agent string of the device emulator.
A) Create an Amazon CloudWatch alarm that reacts to login attempts that contain the specified user agent string. Add an Amazon Simple Notification Service (Amazon SNS) topic to the alarm.
B) Modify the inbound security group on the ALB to deny traffic from the IP addresses that are involved in the attack.
D) Create an AWS WAF web ACL for the ALB. Create a custom rule that allows requests from legitimate user agent strings.

Amazon SCS-C03 Exam - Topic 5 Question 11 Discussion

Actual exam question for Amazon's SCS-C03 exam
Question #: 11
Topic #: 5
[All SCS-C03 Questions]

A company has a web-based application that runs behind an Application Load Balancer (ALB). The application is experiencing a credential stuffing attack that is producing many failed login attempts. The attack is coming from many IP addresses. The login attempts are using a user agent string of a known mobile device emulator. A security engineer needs to implement a solution to mitigate the credential stuffing attack. The solution must still allow legitimate logins to the application.

Which solution will meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: C

A credential stuffing attack at the ALB is aLayer 7problem and is best mitigated withAWS WAF. The attacker is distributed across many IPs, so blocking by IP in a security group (Option B) is ineffective and operationally heavy. A CloudWatch alarm (Option A) only alerts; it does not block or mitigate requests.

Because the malicious traffic uses a distinctive, knownUser-Agentstring associated with a mobile device emulator, AWS WAF can quickly reduce the attack by inspecting the User-Agent header and blocking matching requests. This approach is targeted: it blocks the identified automated attack pattern while allowing legitimate users who do not present that emulator User-Agent to continue logging in. The WAF rule can be deployed immediately on the existing ALB-associated web ACL and can be further refined (for example, applied only to /login paths, combined with rate-based rules, or integrated with Bot Control) to minimize false positives.

Option D is risky because ''allow only legitimate user agents'' is brittle: user agents are diverse and change frequently, and a strict allow-list can accidentally block real users. Therefore, a WAF custom block rule for the known malicious User-Agent string is the correct solution.


Contribute your Thoughts:

0/2000 characters
Frederica
2 days ago
I practiced a similar question where we had to mitigate attacks using WAF rules. I think option D could work, but it might be too broad and let some bad traffic through.
upvoted 0 times
...
Kris
7 days ago
I'm not entirely sure, but I feel like just blocking IPs in option B could lead to issues with legitimate users if they happen to share an IP.
upvoted 0 times
...
Jutta
12 days ago
I remember studying about AWS WAF and how it can be used to block specific user agents. I think option C might be the right choice.
upvoted 0 times
...

Save Cancel