AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your security operations team has detected a surge of automated credential-stuffing attempts against the /login endpoint of your global e-commerce site. The application is fronted by an Amazon CloudFront distribution that routes dynamic traffic to an Application Load Balancer in us-east-1.
Business stakeholders require that you:
Detect and automatically block credential-stuffing and brute-force login attempts while minimizing false positives for legitimate customers.
Keep protections up-to-date without analysts having to maintain custom rule logic.
Deploy the mitigation quickly without modifying application code, TLS certificates, DNS records, or the existing network architecture.
Which solution will BEST meet these requirements?
Enable AWS Shield Advanced on the CloudFront distribution and configure proactive engagement with the AWS Shield Response Team to stop credential-stuffing attacks.
Attach an AWS WAF web ACL to the CloudFront distribution and add the AWSManagedRulesATPRuleSet managed rule group, specifying the login path and credential fields, with the rule group action set to Block.
Create a custom AWS WAF rate-based rule that blocks any source IP sending more than 100 POST requests to /login within five minutes.
Attach an AWS WAF web ACL to the CloudFront distribution and add the AWS Bot Control managed rule group in targeted-inspection mode, overriding rule actions to CAPTCHA for all detections.
Adding the AWSManagedRulesATPRuleSet managed rule group to a Web ACL attached to the CloudFront distribution provides purpose-built protection against credential stuffing and other account-takeover techniques. The rule group continuously checks submitted credentials against a constantly updated stolen-credential database, tracks suspicious login-failure patterns across IP addresses and sessions, and applies blocking actions automatically. Only minimal configuration is required (login path and credential field names), so no changes to the application, certificates, or DNS are needed.
Bot Control focuses on generic bot traffic and does not specifically validate stolen credentials, so it may miss account-takeover activity or require more tuning. AWS Shield Advanced protects against volumetric DDoS attacks but does not inspect application-layer login requests. A simple rate-based rule can throttle high-volume traffic from a single IP address but cannot detect distributed attacks or stolen-credential usage and therefore yields higher false positives and ongoing maintenance overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS WAF and how does it protect applications?
Open an interactive chat with Bash
How does the AWSManagedRulesATPRuleSet protect against credential stuffing?
Open an interactive chat with Bash
Why is AWS Bot Control not suitable for blocking credential stuffing?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .