AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is designing a cloud communications platform that is driven by APIs. The application is hosted on Amazon EC2 instances behind a Network Load Balancer (NLB). The company uses Amazon API Gateway to provide external users with access to the application through APIs. The company wants to protect the platform against web exploits like SQL injection and also wants to detect and mitigate large, sophisticated DDoS attacks.

Which combination of solutions provides the MOST protection? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS WAF to protect the NLB.

Use AWS Shield Advanced with the NLB.

Use AWS WAF to protect Amazon API Gateway.

Use Amazon GuardDuty with AWS Shield Standard.

Use AWS Shield Standard with Amazon API Gateway.

Explanation:

Explanation

Why C (AWS WAF to protect Amazon API Gateway) is correct:

Web Application Firewall (WAF) protection: AWS WAF is specifically designed to protect against web exploits like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.
API Gateway integration: Since external users access the application through Amazon API Gateway, placing WAF in front of API Gateway provides protection at the entry point where web traffic enters the system.
Layer 7 protection: SQL injection attacks operate at the application layer (Layer 7), and AWS WAF is optimized for inspecting and filtering HTTP/HTTPS traffic.

Why B (AWS Shield Advanced with the NLB) is correct:

DDoS protection for NLB: AWS Shield Advanced provides enhanced DDoS protection for Network Load Balancers (NLBs) and other AWS resources.
Sophisticated DDoS mitigation: Shield Advanced offers protection against large, sophisticated DDoS attacks with features like:
- 24/7 DDoS response team access
- Advanced attack visibility and metrics
- Cost protection for scaling during attacks
- Integration with AWS WAF for application layer protection
Network layer protection: Since the NLB operates at Layer 4 (TCP/UDP), Shield Advanced provides DDoS protection at the network and transport layers.

Why other options are incorrect:

A (AWS WAF to protect the NLB): While possible, NLB operates at Layer 4 and doesn't process HTTP traffic natively. WAF is more effective when protecting HTTP endpoints like API Gateway.
D (Amazon GuardDuty with AWS Shield Standard): GuardDuty is for threat detection (not protection), and Shield Standard provides basic DDoS protection automatically for all AWS customers, but doesn't offer the advanced features needed for sophisticated attacks.
E (AWS Shield Standard with Amazon API Gateway): Shield Standard provides only basic DDoS protection, not the advanced protection needed for sophisticated attacks mentioned in the requirement.

Architecture Flow: External Users → API Gateway (protected by AWS WAF) → NLB (protected by AWS Shield Advanced) → EC2 instances

This combination provides comprehensive protection:

AWS WAF on API Gateway: Protects against web exploits (SQL injection, etc.) at the application entry point
AWS Shield Advanced on NLB: Provides advanced DDoS protection for the network infrastructure

Powered ByGPT-5.2

Comments

Loading comments...