The correct answer is: Configure AWS WAF rules and associate them with the ALB.

AWS WAF (Web Application Firewall) is a managed service that integrates directly with ALBs, API Gateway, and CloudFront. It allows users to define custom rules or use AWS Managed Rules to block common web exploits like XSS and SQL injection without deploying or managing any infrastructure. Since its a fully managed service, it aligns perfectly with the companys goal of reducing operational responsibility while improving application security.

Why the other options are incorrect:

Deploying the application using Amazon S3 with public hosting enabled is not applicable for dynamic, backend services like those typically behind an ALB. This solution exposes the app without proper access controls or backend processing capabilities and does not support ALB-specific use cases.

Deploying AWS Shield Advanced and adding the ALB as a protected resource focuses on mitigating DDoS attacks, not application-layer vulnerabilities. While useful in high-security environments, it does not address cross-site scripting or SQL injection, and it is costlier and more complex than AWS WAF for this use case.

Routing traffic through an EC2-based third-party firewall significantly increases the operational burden by requiring the team to manage, patch, and secure a virtual appliance. It contradicts the requirement to minimize infrastructure and management effort.

Why this question is important: This scenario evaluates your ability to select the appropriate AWS security tool based on the type of threat (application-layer vs. infrastructure-layer), operational overhead, and company constraints. Many questions test your understanding of managed services vs. self-managed infrastructure.

Tip: When a question mentions reducing management effort and blocking web exploits like XSS or SQL injection, think of AWS WAF. If the focus is on large-scale attacks like DDoS, AWS Shield might be more appropriate.

Full AWS Practitioner Certification Question