A company serves a public API through a CloudFront distribution. They want to automatically block common web exploits (for example, OWASP Top 10–style threats) without building custom detection logic. Which AWS service configuration best meets the goal?
AWS WAF inspects HTTP(S) requests and applies allow/block decisions based on rule matches. AWS Managed Rules provide prebuilt protections for common threat patterns, and attaching the WAF web ACL to CloudFront applies filtering at the edge.
Why this answer
AWS WAF with AWS Managed Rules provides pre-configured rule sets specifically designed to block common web exploits, including OWASP Top 10 threats, without requiring custom detection logic. By associating the web ACL with a CloudFront distribution, the filtering occurs at the edge, protecting the origin from malicious traffic before it reaches the application.
Exam trap
The trap here is confusing AWS Shield Advanced (which handles volumetric DDoS attacks) with AWS WAF (which handles application-layer threats like OWASP Top 10), leading candidates to believe Shield alone can replace WAF rule evaluation.
How to eliminate wrong answers
Option B is wrong because AWS Shield Advanced provides DDoS protection and cost mitigation, but it does not include application-layer rule evaluation for OWASP Top 10 threats; it is not a replacement for WAF. Option C is wrong because security groups operate at the network layer (Layer 3/4) and cannot inspect HTTP request bodies or application-layer payloads to block patterns like SQL injection or XSS. Option D is wrong because AWS Security Hub is a security posture management service that aggregates findings and does not have the capability to automatically block requests in real-time; it lacks inline traffic inspection and enforcement actions.