AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)
Other
Community
UAnonymous
A
Use AWS Shield Advanced to stop the DDoS attack.
B
Configure Amazon GuardDuty to automatically block the attackers.
C
Configure the website to use Amazon CloudFront for both static and dynamic content.
D
Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
E
Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization.
Explanation:
Explanation
Correct Answers: A and C
A. Use AWS Shield Advanced to stop the DDoS attack. - AWS Shield Advanced provides enhanced DDoS protection specifically designed to protect against large-scale DDoS attacks. It offers 24/7 access to the AWS DDoS Response Team (DRT), advanced attack mitigation, and cost protection for scaling during attacks.
C. Configure the website to use Amazon CloudFront for both static and dynamic content. - CloudFront provides built-in DDoS mitigation capabilities through AWS Shield Standard (included at no extra cost). It also helps absorb and distribute attack traffic across AWS's global edge network, reducing the load on origin servers.
Why other options are incorrect:
B. Configure Amazon GuardDuty to automatically block the attackers. - GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, but it's not designed for real-time DDoS mitigation. It doesn't have automatic blocking capabilities for DDoS attacks.
D. Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs. - This approach is not scalable for large-scale DDoS attacks originating from thousands of IP addresses. Network ACLs have limits on the number of rules, and managing thousands of IPs dynamically would be inefficient and may not provide adequate protection.
E. Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization. - While Auto Scaling can help handle increased load, it doesn't protect against DDoS attacks. In fact, scaling up during a DDoS attack would increase costs without actually mitigating the attack. Spot Instances can be interrupted, which is not acceptable for a website where downtime is not acceptable.
Key AWS Services for DDoS Protection:
- AWS Shield - Managed DDoS protection service
- Amazon CloudFront - CDN with built-in DDoS protection
- AWS WAF - Web application firewall for layer 7 protection
- Amazon Route 53 - DNS service with DDoS protection
For comprehensive DDoS protection in this scenario, combining AWS Shield Advanced with CloudFront provides both advanced attack mitigation and edge distribution capabilities.
Comments
Loading comments...