AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is preparing to launch a public-facing web application in the AWS Cloud. The architecture consists of Amazon EC2 instances within a VPC behind an Elastic Load Balancer (ELB). A third-party service is used for the DNS. The company's solutions architect must recommend a solution to detect and protect against large-scale DDoS attacks. Which solution meets these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Enable Amazon GuardDuty on the account.

Enable Amazon Inspector on the EC2 instances.

Enable AWS Shield and assign Amazon Route 53 to it.

Enable AWS Shield Advanced and assign the ELB to it.

Explanation:

Explanation

Correct Answer: D - Enable AWS Shield Advanced and assign the ELB to it.

Why this is correct:

AWS Shield Advanced is specifically designed to provide enhanced DDoS protection for web applications running on AWS. It offers:
- Advanced DDoS detection and mitigation
- 24/7 access to the AWS DDoS Response Team (DRT)
- Cost protection for scaling during DDoS attacks
- Integration with AWS WAF for application layer protection
Assigning the ELB to Shield Advanced is the correct approach because:
- The Elastic Load Balancer is the entry point for traffic to the web application
- Shield Advanced can protect AWS resources like ELB, Amazon CloudFront, and Amazon Route 53
- Since the company uses a third-party DNS service, they cannot use Route 53-based protection

Why other options are incorrect:

A. Amazon GuardDuty - This is a threat detection service that uses machine learning to identify malicious activity and unauthorized behavior, but it's not specifically designed for DDoS protection.

B. Amazon Inspector - This is an automated security assessment service that helps improve security and compliance of applications deployed on AWS, but it doesn't provide DDoS protection.

C. AWS Shield and assign Amazon Route 53 to it - AWS Shield Standard provides automatic protection for all AWS customers at no additional cost, but:

It only protects AWS resources (not third-party DNS)
The company uses a third-party DNS service, so they cannot assign Route 53 to it
AWS Shield Standard doesn't provide the advanced DDoS protection features needed for large-scale attacks

Key Takeaways:

For public-facing web applications requiring protection against large-scale DDoS attacks, AWS Shield Advanced is the appropriate service
Shield Advanced can protect AWS resources like ELB, CloudFront, and Route 53
When using third-party DNS, you cannot leverage Route 53's DDoS protection capabilities
Shield Advanced provides comprehensive DDoS protection with dedicated support and cost protection

Powered ByGPT-5.2

Comments

Loading comments...