On the AWS Certified Solutions Architect – Associate exam, when you see a scenario about protecting applications from SQL injection or cross-site scripting (XSS) attacks, the correct answer almost always involves AWS WAF (Web Application Firewall).
The most common exam trap is attaching WAF directly to EC2 — which is never correct.
WAF attaches only to CloudFront, Application Load Balancer (ALB), or API Gateway.
Scenario
An e-commerce company runs its inventory management portal on Amazon EC2 instances behind an Application Load Balancer (ALB), with traffic accelerated and cached through Amazon CloudFront.
The company needs to
Protect the admin portal from SQL injection and XSS attacks
Ensure malicious requests are blocked before reaching EC2
Use a managed, scalable solution that integrates with CloudFront
Solution — Deploy AWS WAF on CloudFront
The company attaches AWS WAF to its CloudFront distribution, ensuring application-layer protection at the edge.
WAF inspects all inbound requests before they hit the ALB or EC2
Managed rule groups block common exploits like SQLi and XSS
Only clean, valid requests reach the origin servers
Result: malicious traffic is filtered at the edge, reducing load on EC2 and securing back-office functions.
Exam Reminder: Because CloudFront sits in front of ALB, attaching WAF here ensures attacks are blocked globally before they ever enter the VPC.
Cheat Sheet: WAF Key Features
Feature | What It Does | Exam Relevance |
|---|---|---|
Managed Rule Groups | Prebuilt protections against SQLi, XSS, bots | Exam clue: “protect against SQL injection or cross-site scripting” → WAF |
Custom Rules | Block requests by IP, geo, headers, query strings | Look for “specific filtering requirements” |
Rate-Based Rules | Block requests from IPs exceeding thresholds | Useful for brute-force or scraper protection |
Integration Points | CloudFront, ALB, API Gateway | Never EC2 directly — common exam trap |
Cheat Sheet: AWS Edge Security Options
Service | Protects Against | Best For | Exam Cue |
|---|---|---|---|
AWS WAF | SQL injection, XSS, custom filtering | Web apps & APIs | “Protect against SQL injection or cross-site scripting” → WAF |
AWS Shield Standard | DDoS (L3/L4) | Always-on baseline protection | Included with CloudFront (no extra cost) |
AWS Shield Advanced | Enterprise DDoS (L3/L4/L7) | Mission-critical workloads | Paid service + 24/7 DRT access |
AWS Firewall Manager | Centralized WAF/Shield policy management | Multi-account orgs | “Centralized policy” = Firewall Manager (not inline protection) |
Exam Clues
If you see SQLi or XSS → AWS WAF
If you see DDoS → AWS Shield (Standard or Advanced)
If you see Policy management across accounts → Firewall Manager
If you see EC2 direct attachment → Incorrect (WAF never attaches directly to EC2)
Exam Highlights
AWS WAF provides application-layer defense (Layer 7).
AWS Shield protects against network-layer DDoS (Layers 3–4).
Firewall Manager centralizes management, not runtime defense.
Ready to take your AWS Solutions Architect – Associate prep to the next level?
Join our Study Notes and Study Group to connect with fellow learners, access structured exam-aligned resources (study notes, flashcards, scenario-based questions, personalized study plans with email reminders, and the ability to add notes to any lesson), and participate in weekly, exam-aligned sessions using a live AWS environment to explore architecture decisions through a real-world e-commerce application.
Start your journey here: https://labs.itassist.com/aws-certified-solution-architect-associate-study-notes
📺 New to the platform? Watch the YouTube playlist to see all the features in action: https://www.youtube.com/playlist?list=PLqwTb4xwPh0e7w3iNS6I7UzAds7wNlAo7