AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company has implemented a self-managed DNS service on AWS. The solution consists of the following:
- Amazon EC2 instances in different AWS Regions
- Endpoints of a standard accelerator in AWS Global Accelerator
The company wants to protect the solution against DDoS attacks.
What should a solutions architect do to meet this requirement?
Other
Community
UAnonymous
A
Subscribe to AWS Shield Advanced. Add the accelerator as a resource to protect.
B
Subscribe to AWS Shield Advanced. Add the EC2 instances as resources to protect.
C
Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the accelerator.
D
Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the EC2 instances.
Explanation:
Explanation
Correct Answer: A
Why A is correct:
- AWS Shield Advanced is specifically designed for DDoS protection and is the appropriate service for protecting against DDoS attacks.
- Global Accelerator endpoints are the entry points for traffic. When using Global Accelerator, traffic first goes through the accelerator endpoints before reaching the EC2 instances.
- By protecting the accelerator as a resource in Shield Advanced, you protect the entire traffic flow through the accelerator, which includes all the backend EC2 instances in different regions.
- Shield Advanced provides comprehensive DDoS protection including volumetric, state-exhaustion, and application layer attacks.
Why B is incorrect:
- While Shield Advanced is the right service, protecting individual EC2 instances would be less efficient and more complex to manage, especially when they are distributed across multiple regions. The accelerator serves as a single point of entry that should be protected.
Why C is incorrect:
- AWS WAF with rate-based rules can help with some application layer attacks, but it's not comprehensive DDoS protection. WAF is primarily for web application security (Layer 7), while DDoS attacks can occur at multiple layers (Layer 3, 4, and 7).
Why D is incorrect:
- Similar to C, AWS WAF is not comprehensive DDoS protection. Additionally, associating WAF with individual EC2 instances would be complex to manage across multiple regions and wouldn't protect the accelerator endpoints.
Key AWS Services:
- AWS Shield Advanced: Provides enhanced DDoS protection with 24/7 access to the AWS DDoS Response Team (DRT), advanced attack visibility, and cost protection.
- AWS Global Accelerator: Improves availability and performance by routing traffic through the AWS global network to optimal endpoints.
- AWS WAF: Protects web applications from common web exploits, not comprehensive DDoS protection.
Best Practice: When using Global Accelerator, protect the accelerator endpoints with Shield Advanced to provide comprehensive DDoS protection for the entire architecture.
Comments
Loading comments...