AWS · SAP-C02

Network Security And Edge Protection — AWS Solutions Architect Pro (SAP-C02)

3%of exam questions (5 of 200)

WAF for HTTP Attacks; Shield for Volumetric DDoS

'SQL injection,' 'cross-site scripting,' 'rate limiting by URI pattern,' and 'malformed HTTP headers' all point to WAF, not Security Groups. Security Groups and Network ACLs operate at layers 3 and 4 and cannot inspect HTTP request content. Shield Standard automatically protects all AWS resources against volumetric network-layer attacks at no additional cost. Shield Advanced adds application-layer detection, 24/7 DRT access, and financial protection against cost spikes from attack-driven scaling. SAP-C02 questions signal the correct service by describing the attack vector, not the service family. Read the threat description first, then select the control that operates at the layer the attack targets.

What This Pattern Tests

The exam describes a threat and tests which edge protection applies. AWS WAF operates at Layer 7 — it inspects HTTP/HTTPS requests and blocks SQL injection, XSS, and rate-based attacks. Rules attach to CloudFront, ALB, or API Gateway. AWS Shield Standard is free and protects against Layer 3/4 DDoS (SYN floods, UDP reflection). Shield Advanced adds DDoS response team, cost protection, and real-time metrics for $3,000/month. CloudFront Functions handle lightweight request/response manipulation (URL rewrites, header addition) at the edge. Lambda@Edge handles heavier logic (authentication, A/B testing) but with higher latency. The trap is using WAF to stop DDoS (it blocks application-layer attacks, not volumetric floods) or Shield to block SQL injection (it handles network-layer attacks, not application-layer).

Decision Axis

Threat type (application-layer vs. volumetric DDoS vs. edge logic) determines which service: WAF, Shield, CloudFront Functions, or Lambda@Edge.

Associated Traps

Cost Blind Spot (5)Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

More Top Traps on This Exam

Near-Right Architecture · 45%CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Operational Complexity Underestimation · 39%Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Whether to deploy AWS Network Firewall in a single centralized inspection VPC governed by Firewall Manager versus replicating independent Network Firewall instances per member account — the central hub model satisfies both the policy-drift and cost constraints; per-account replication satisfies inspection coverage but fails on multiplicative endpoint cost and relies on after-the-fact drift detection rather than proactive enforcement.

AWS Network FirewallAWS Firewall ManagerAWS WAF

Domain Coverage

Design Solutions for Organizational Complexity

Difficulty Breakdown

Medium: 5

Build recognition speed →

See all SAP-C02 patterns →