AWS Certified Solutions Architect - Associate

Ultimate access to all questions.

Explanation:

Explanation

Why C (AWS WAF to protect Amazon API Gateway) is correct:

Web Application Firewall (WAF) protection: AWS WAF is specifically designed to protect against web exploits like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.
API Gateway integration: Since external users access the application through Amazon API Gateway, placing WAF in front of API Gateway provides protection at the entry point where web traffic enters the system.
Layer 7 protection: SQL injection attacks operate at the application layer (Layer 7), and AWS WAF is optimized for inspecting and filtering HTTP/HTTPS traffic.

Why B (AWS Shield Advanced with the NLB) is correct:

DDoS protection for NLB: AWS Shield Advanced provides enhanced DDoS protection for Network Load Balancers (NLBs) and other AWS resources.
Sophisticated DDoS mitigation: Shield Advanced offers protection against large, sophisticated DDoS attacks with features like:
- 24/7 DDoS response team access
- Advanced attack visibility and metrics
- Cost protection for scaling during attacks
- Integration with AWS WAF for application layer protection
Network layer protection: Since the NLB operates at Layer 4 (TCP/UDP), Shield Advanced provides DDoS protection at the network and transport layers.

Why other options are incorrect:

A (AWS WAF to protect the NLB): While possible, NLB operates at Layer 4 and doesn't process HTTP traffic natively. WAF is more effective when protecting HTTP endpoints like API Gateway.
D (Amazon GuardDuty with AWS Shield Standard): GuardDuty is for threat detection (not protection), and Shield Standard provides basic DDoS protection automatically for all AWS customers, but doesn't offer the advanced features needed for sophisticated attacks.
E (AWS Shield Standard with Amazon API Gateway): Shield Standard provides only basic DDoS protection, not the advanced protection needed for sophisticated attacks mentioned in the requirement.

Architecture Flow: External Users → API Gateway (protected by AWS WAF) → NLB (protected by AWS Shield Advanced) → EC2 instances

This combination provides comprehensive protection:

AWS WAF on API Gateway: Protects against web exploits (SQL injection, etc.) at the application entry point
AWS Shield Advanced on NLB: Provides advanced DDoS protection for the network infrastructure

Explanation:

Why C (AWS WAF to protect Amazon API Gateway) is correct:

Web Application Firewall (WAF) protection: AWS WAF is specifically designed to protect against web exploits like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.
API Gateway integration: Since external users access the application through Amazon API Gateway, placing WAF in front of API Gateway provides protection at the entry point where web traffic enters the system.
Layer 7 protection: SQL injection attacks operate at the application layer (Layer 7), and AWS WAF is optimized for inspecting and filtering HTTP/HTTPS traffic.

Why B (AWS Shield Advanced with the NLB) is correct:

DDoS protection for NLB: AWS Shield Advanced provides enhanced DDoS protection for Network Load Balancers (NLBs) and other AWS resources.
Sophisticated DDoS mitigation: Shield Advanced offers protection against large, sophisticated DDoS attacks with features like:
- 24/7 DDoS response team access
- Advanced attack visibility and metrics
- Cost protection for scaling during attacks
- Integration with AWS WAF for application layer protection
Network layer protection: Since the NLB operates at Layer 4 (TCP/UDP), Shield Advanced provides DDoS protection at the network and transport layers.

Why other options are incorrect:

A (AWS WAF to protect the NLB): While possible, NLB operates at Layer 4 and doesn't process HTTP traffic natively. WAF is more effective when protecting HTTP endpoints like API Gateway.
D (Amazon GuardDuty with AWS Shield Standard): GuardDuty is for threat detection (not protection), and Shield Standard provides basic DDoS protection automatically for all AWS customers, but doesn't offer the advanced features needed for sophisticated attacks.
E (AWS Shield Standard with Amazon API Gateway): Shield Standard provides only basic DDoS protection, not the advanced protection needed for sophisticated attacks mentioned in the requirement.

Architecture Flow: External Users → API Gateway (protected by AWS WAF) → NLB (protected by AWS Shield Advanced) → EC2 instances

This combination provides comprehensive protection:

AWS WAF on API Gateway: Protects against web exploits (SQL injection, etc.) at the application entry point
AWS Shield Advanced on NLB: Provides advanced DDoS protection for the network infrastructure

No comments yet.

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS WAF to protect the NLB.

Use AWS Shield Advanced with the NLB.