AWS Certified Solutions Architect - Associate

Explanation

Correct Answer: C - Enable AWS Shield Advanced to prevent attacks.

Why this is correct:

1. AWS Shield Advanced is specifically designed to protect against DDoS (Distributed Denial of Service) attacks. It provides enhanced protection for web applications running on AWS.

2. Key features of AWS Shield Advanced:

   • Always-on detection and automatic inline mitigations
   • Protection against layer 3/4 (infrastructure) and layer 7 (application) DDoS attacks
   • Integration with Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing (including ALB)
   • 24/7 access to the AWS DDoS Response Team (DRT)
   • Cost protection for scaling during DDoS attacks

Why the other options are incorrect:

A. Add an Amazon Inspector agent to the ALB.

• Amazon Inspector is for vulnerability assessment and security compliance, not DDoS protection
• Inspector agents are installed on EC2 instances, not on ALBs

B. Configure Amazon Macie to prevent attacks.

• Amazon Macie is for data security and discovering sensitive data using machine learning
• It helps identify PII, financial data, etc., but doesn't protect against DDoS attacks

D. Configure Amazon GuardDuty to monitor the ALB.

• Amazon GuardDuty is a threat detection service that monitors for malicious activity
• While it can detect some DDoS-related anomalies, it's primarily for monitoring and detection, not prevention
• Shield Advanced provides active protection and mitigation

Additional context:

• AWS Shield comes in two tiers: Standard (free, automatic for all AWS customers) and Advanced (paid, with enhanced features)
• For a public web application with an ALB, Shield Advanced provides comprehensive DDoS protection
• The solutions architect should also consider implementing AWS WAF (Web Application Firewall) for additional layer 7 protection