A company's web application is being targeted by SQL injection and cross-site scripting (XSS) attacks. Which AWS service can detect and block these Layer 7 application attacks?
- AAmazon GuardDuty — threat intelligence and anomaly detection for AWS accounts, not a Layer 7 firewall.
- BAWS WAF (Web Application Firewall) — inspects HTTP/HTTPS requests and blocks based on rules for SQLi, XSS, IP reputation, etc.✓ Correct
- CAWS Shield — DDoS protection at Layers 3 and 4, not application-layer attack prevention.
- DAmazon Inspector — vulnerability scanning for EC2 and containers, not a runtime traffic filter.
AWS WAF works with CloudFront, ALB, API Gateway, and AppSync. You create Web ACLs with rules (AWS Managed Rule Groups or custom rules) to allow, block, or count matching requests. Pre-built managed rules cover OWASP Top 10, SQL injection, XSS, known bad inputs, and IP reputation lists. It operates at Layer 7.
A security team wants to automatically detect when an IAM access key is used from an unusual geographic location and when EC2 instances are communicating with known cryptocurrency mining pools. Which service provides this ML-based threat detection?
- AAWS Config — monitors resource configuration changes for compliance, not threat detection.
- BAmazon Inspector — scans for software vulnerabilities and network exposure, not behavioural threats.
- CAmazon GuardDuty — uses ML, anomaly detection, and threat intelligence feeds to identify suspicious activity in CloudTrail logs, VPC Flow Logs, and DNS logs.✓ Correct
- DAWS Security Hub — aggregates findings from GuardDuty and others but doesn't generate findings itself.
GuardDuty continuously analyses CloudTrail management events, S3 data events, VPC Flow Logs, and DNS logs. It detects threats like: compromised credentials, unusual API calls, crypto mining, data exfiltration, port scanning, and communication with malicious IPs. It requires no agents or additional infrastructure and is activated with one click.
A company wants DDoS protection for their CloudFront distribution and ELB at no additional cost. Which AWS service provides automatic, always-on protection against common network and transport layer DDoS attacks for free?
- AAWS WAF — Layer 7 protection, billed separately.
- BAWS Shield Advanced — comprehensive DDoS protection with 24/7 DDoS Response Team, but costs $3,000/month.
- CAWS Shield Standard — automatically enabled for all AWS customers at no cost, protects against common Layer 3 and 4 DDoS attacks.✓ Correct
- DAmazon GuardDuty — threat detection, not DDoS mitigation.
AWS Shield Standard is automatically enabled for all AWS customers with no additional cost. It provides always-on detection and inline mitigation against common infrastructure (Layer 3/4) DDoS attacks. Shield Advanced adds DDoS cost protection, enhanced detection, AWS DDoS Response Team (DRT) access, and works with WAF for Layer 7 attacks.
A company stores sensitive customer PII data in S3 and wants to automatically discover and classify this data, generating alerts when PII is detected in unexpected buckets. Which AWS service provides this?
- AAmazon GuardDuty — detects threats, not data classification in S3.
- BAWS Config — monitors resource configuration, not data content classification.
- CAmazon Macie — uses ML to automatically discover, classify, and protect sensitive data (PII, credentials, financial data) stored in S3.✓ Correct
- DAmazon Inspector — vulnerability scanning for EC2/Lambda/ECR, not S3 data classification.
Amazon Macie analyses S3 objects using ML to identify sensitive data types (PII like names, credit cards, SSNs, health records). It provides a data inventory, sensitivity scores per bucket, and generates security findings (e.g., "bucket contains unencrypted credit card numbers"). Essential for GDPR, HIPAA, and PCI DSS compliance.
A security team wants a single dashboard that aggregates security findings from GuardDuty, Inspector, Macie, and third-party tools, and checks compliance against CIS AWS Foundations Benchmark. Which service provides this?
- AAmazon CloudWatch — monitoring and observability, not security posture management.
- BAWS CloudTrail — API activity logging, not a security findings aggregator.
- CAmazon GuardDuty — generates findings but doesn't aggregate from other services.
- DAWS Security Hub — aggregates findings from AWS security services and third-party tools, and runs automated compliance checks against security standards.✓ Correct
AWS Security Hub ingests findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party products. It normalises findings into the AWS Security Finding Format (ASFF) and provides a unified view. It also runs automated compliance checks against standards like CIS AWS Foundations, PCI DSS, and AWS Foundational Security Best Practices.