Question 10 - Amazon ANS-C01 Real Exam Questions [Jan 2026 Update]

Q: 10

A company hosts a web application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The company uses an Amazon CloudFront distribution with the ALB as an origin. The application recently experienced an attack. In response, the company associated an AWS WAF web ACL with the CloudFront distribution. The company needs to use Amazon Athena to analyze application attacks that AWS WAF detects. Which solution will meet this requirement?

Options

Correct Answer:

Explanation

The requirement is to analyze logs from AWS WAF using Amazon Athena. To do this, the WAF logs must be stored in an Amazon S3 bucket, as Athena queries data directly in S3. The standard and recommended method for exporting AWS WAF logs is to configure the web ACL to send log data to an Amazon Kinesis Data Firehose delivery stream. This delivery stream can then be configured to deliver the logs to an S3 bucket in a format suitable for analysis. Once the logs are in S3, an Athena table can be created to query and analyze the WAF-detected attack patterns.

Why Incorrect

A. VPC flow logs capture IP traffic information for network interfaces. They do not contain the application-layer details of AWS WAF rule evaluations or actions, which are necessary to analyze attacks.

B. AWS CloudTrail logs API activity within your AWS account. It records actions like creating or modifying a web ACL, but not the web requests that the WAF inspects.

D. Application Load Balancer (ALB) access logs record details about requests sent to the ALB. However, in this architecture, WAF is associated with CloudFront, so it will block malicious requests at the edge before they even reach the ALB. Furthermore, ALB logs do not contain WAF-specific fields like ruleGroupId or action.

References

1. AWS WAF Developer Guide, Logging and monitoring web ACL traffic: "To enable logging, you configure your web ACL to send the logs to an Amazon Kinesis Data Firehose data stream... Kinesis Data Firehose can deliver your web ACL traffic logs to a number of destinations. This guide provides instructions for Amazon S3." This document outlines the exact process described in the correct answer.

2. AWS Documentation, Amazon Athena User Guide, Querying AWS WAF logs: "AWS WAF is a web application firewall that lets you monitor HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer. You can use Athena to query AWS WAF logs." The guide presupposes that logging has been configured to deliver logs to S3, typically via Kinesis Data Firehose.

3. AWS Security Blog, "How to analyze AWS WAF logs using Amazon Athena and Amazon QuickSight": This official blog post details the architecture for analysis: "This post shows you how to set up an analysis solution for AWS WAF logs. The solution uses Amazon Kinesis Data Firehose to deliver logs to Amazon Simple Storage Service (Amazon S3). From there, you can use Amazon Athena to query the logs..." This directly supports option C as the correct solution.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE