Question 15
Domain 3: Infrastructure SecurityA company has a new web-based account management system for an online game Players create a unique username and password to log in to the system. The company has implemented an AWS WAF web ACL for the system. The web ACL includes the core rule set (CRS) AWS managed rule group on the Application Load Balancer that serves the system. The company's security team finds that the system was the target of a credential stuffing attack Credentials that were exposed in other breaches were used to try to log in to the system The security team must implement a solution to reduce the chance of a successful credential stuffing attack in the future The solution also must minimize impact on legitimate users of the system Which combination of actions will meet these requirements? (Select TWO.)
Correct answer: C
Explanation
AWS WAF supports rate-based rules and the AWS Managed Rules Anonymous IP List to slow automated login attempts while limiting disruption to real users. Credential stuffing is best reduced by adding bot mitigation such as CAPTCHA or challenge actions on login requests, because the attack uses “credentials that were exposed in other breaches” and targets repeated sign-in attempts.
Why each option is right or wrong
A. Add the account takeover prevention (ATP) AWS managed rule group to the web ACL Configure the rule group to inspect login requests to the system Block any requests that have the awswaf managed awsatp signal credential_compromised label
ATP detects suspicious login attempts and can label compromised-credential events for blocking decisions.
B. Create a custom block response that redirects users to a secure workflow to reset their password inside the system
Custom block responses can redirect users into a password-reset workflow instead of showing a generic denial.
C. All of the above
Each of the listed options is a valid answer; all are needed.