AWS · SOA-C03

Network Security And Edge Protection — AWS SysOps Administrator (SOA-C03)

5%of exam questions (9 of 200)

Security Groups Cannot Deny — NACLs Can

A scenario asks you to block traffic from a specific IP range. The instinct is to add a Security Group deny rule. Security Groups are stateful and support only allow rules — there is no explicit deny. NACLs are stateless and support explicit denies at the subnet level. Selecting the wrong control layer produces an answer that cannot implement the stated requirement, even though both mechanisms are legitimate network security tools in AWS.

What This Pattern Tests

The exam describes a threat and tests which edge protection applies. AWS WAF operates at Layer 7 — it inspects HTTP/HTTPS requests and blocks SQL injection, XSS, and rate-based attacks. Rules attach to CloudFront, ALB, or API Gateway. AWS Shield Standard is free and protects against Layer 3/4 DDoS (SYN floods, UDP reflection). Shield Advanced adds DDoS response team, cost protection, and real-time metrics for $3,000/month. CloudFront Functions handle lightweight request/response manipulation (URL rewrites, header addition) at the edge. Lambda@Edge handles heavier logic (authentication, A/B testing) but with higher latency. The trap is using WAF to stop DDoS (it blocks application-layer attacks, not volumetric floods) or Shield to block SQL injection (it handles network-layer attacks, not application-layer).

Decision Axis

Threat type (application-layer vs. volumetric DDoS vs. edge logic) determines which service: WAF, Shield, CloudFront Functions, or Lambda@Edge.

Associated Traps

Over-Provisioning (6)Multi-AZ RDS with provisioned IOPS for a new microservice doing 100 reads per second. DynamoDB on-demand costs 90% less.Service Confusion (3)Kinesis Data Streams vs. Kinesis Data Firehose — one word apart, completely different delivery models.

More Top Traps on This Exam

Near-Right Architecture · 24%CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

Decision Rules

Whether the stated L3/L4 volumetric attack is already fully mitigated by AWS Shield Standard (automatic, zero incremental cost) — making Shield Advanced subscription or WAF rule deployment unnecessary and constituting over-provisioning under the cost-and-coverage constraint.

AWS ShieldAWS WAFAmazon CloudFront

Attach AWS WAF exclusively to the CloudFront distribution so that application-layer rules are evaluated at the edge before requests traverse the origin network; attaching WAF to both CloudFront and the ALB is over-provisioning because CloudFront is already the sole public ingress path and dual attachment doubles ACL cost without intercepting any additional threats.

AWS WAFAmazon CloudFrontElastic Load Balancing

Shield Standard covers L3/L4 DDoS automatically at no added cost; closing an L7 SQL injection vulnerability requires explicitly attaching AWS WAF to the CloudFront distribution because Shield Advanced upgrades DDoS response capabilities but does not inspect HTTP payloads.

AWS ShieldAWS WAFAmazon CloudFront

Domain Coverage

Security and ComplianceNetworking and Content Delivery

Difficulty Breakdown

Medium: 9

Build recognition speed →

See all SOA-C03 patterns →