A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.
Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?
Moving all the files to an S3 bucket and creating a CloudFront distribution in front of the bucket while terminating the web server is the best solution. This approach leverages S3's scalability and CloudFront's CDN capabilities to handle high traffic loads effectively, ensuring protection against DDoS attacks and minimizing operational overhead. By eliminating the need for an EC2 instance and utilizing managed services, operational overhead is significantly reduced and the static site remains available and secure.
D is correct it is trying to reduce the overhead
That's not the only important part. A also reduces overhead. The part that sets D apart is DDOS protection.
Yes, DDoS protection through CloudFront
A- A single Web server does not protect against DDos B- Load balanced EC2 instances only increase availability but does not help to protect against DDos. C- ALB is redundant when there's only 1 EC2. D- best answer.
C is not management overhead as we still manage EC2 web server. As the site is static, we can move it to S3 for reducing overhead
%100 all for D, and A is selected... Admins?? aaaaaadmins.... hello? :)
AWS Shield, a DDoS protection service, is enabled by default on Amazon CloudFront and automatically protects against Network/Transport layer DDoS attacks. Reference: https://aws.amazon.com/blogs/networking-and-content-delivery/improve-your-website-availability-with-amazon-cloudfront/
even serving content from s3 allows the ec2 to get DDOS , so using cloud front backed by s3 with WAF will help
WAF? where
D - Static content is a suitable use case for S3. Cloudfront can then be used to present (and cache) the data for the front end. EC2 instance/s behind and ALB could work - However, this has more operational overhead and can still be overloaded if sufficient traffic occurs.
D is the only one that protects against a DDoS. In A you could be impacted by a DDoS. All requests raches the ec2 yet.
What is going on here ... so much chatting, not one single pulic AWS URL to prove your points. AWS Shield, a DDoS protection service, is enabled by default on Amazon CloudFront and automatically protects against Network/Transport layer DDoS attacks. The automatic protection feature by AWS Shield Standard is available to all AWS customers at no additional cost. Customers can also use AWS WAF (Web Application Firewall) to protect against application layer DDoS attacks. https://aws.amazon.com/blogs/networking-and-content-delivery/improve-your-website-availability-with-amazon-cloudfront/
BEST way is the key word
Answer should be B. Hear me out. What is DDOS? it floods traffic to the targeted online resources. That is where an Application Load balancer comes in, to redistribute the load, in the event of a DDoS attack, your site will not be down and will continue to function normally, most especially when the workload is distributed between two EC2 Instances.
Check this from AWS Docs please: "AWS Shield is integrated with Amazon CloudFront, which supports custom origins outside of AWS." - https://aws.amazon.com/shield/faqs/
A s correct as have to minimize operating overhead.
D is the correct one, having a cloudfront backed architecture protects from DDoS attacks
Absolutely correct answer is D because didnt say about web server persistancy. We should terminate the web server for static content serving.
D - because we can host a static website there and we can allow the users to download files/upload files there using cloudfront, plus it aws shield enabled.
D is correct
D for sure...
go to D