A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download.
Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?
Moving all the files to an S3 bucket and creating a CloudFront distribution in front of the bucket while terminating the web server is the best solution. This approach leverages S3's scalability and CloudFront's CDN capabilities to handle high traffic loads effectively, ensuring protection against DDoS attacks and minimizing operational overhead. By eliminating the need for an EC2 instance and utilizing managed services, operational overhead is significantly reduced and the static site remains available and secure.
D is correct it is trying to reduce the overhead
That's not the only important part. A also reduces overhead. The part that sets D apart is DDOS protection.
Yes, DDoS protection through CloudFront
A- A single Web server does not protect against DDos B- Load balanced EC2 instances only increase availability but does not help to protect against DDos. C- ALB is redundant when there's only 1 EC2. D- best answer.
C is not management overhead as we still manage EC2 web server. As the site is static, we can move it to S3 for reducing overhead
AWS Shield, a DDoS protection service, is enabled by default on Amazon CloudFront and automatically protects against Network/Transport layer DDoS attacks. Reference: https://aws.amazon.com/blogs/networking-and-content-delivery/improve-your-website-availability-with-amazon-cloudfront/
%100 all for D, and A is selected... Admins?? aaaaaadmins.... hello? :)
D - Static content is a suitable use case for S3. Cloudfront can then be used to present (and cache) the data for the front end. EC2 instance/s behind and ALB could work - However, this has more operational overhead and can still be overloaded if sufficient traffic occurs.
even serving content from s3 allows the ec2 to get DDOS , so using cloud front backed by s3 with WAF will help
WAF? where
What is going on here ... so much chatting, not one single pulic AWS URL to prove your points. AWS Shield, a DDoS protection service, is enabled by default on Amazon CloudFront and automatically protects against Network/Transport layer DDoS attacks. The automatic protection feature by AWS Shield Standard is available to all AWS customers at no additional cost. Customers can also use AWS WAF (Web Application Firewall) to protect against application layer DDoS attacks. https://aws.amazon.com/blogs/networking-and-content-delivery/improve-your-website-availability-with-amazon-cloudfront/
D is the only one that protects against a DDoS. In A you could be impacted by a DDoS. All requests raches the ec2 yet.
go to D
D for sure...
D is correct
D - because we can host a static website there and we can allow the users to download files/upload files there using cloudfront, plus it aws shield enabled.
Absolutely correct answer is D because didnt say about web server persistancy. We should terminate the web server for static content serving.
D is the correct one, having a cloudfront backed architecture protects from DDoS attacks
A s correct as have to minimize operating overhead.
Answer should be B. Hear me out. What is DDOS? it floods traffic to the targeted online resources. That is where an Application Load balancer comes in, to redistribute the load, in the event of a DDoS attack, your site will not be down and will continue to function normally, most especially when the workload is distributed between two EC2 Instances.
Check this from AWS Docs please: "AWS Shield is integrated with Amazon CloudFront, which supports custom origins outside of AWS." - https://aws.amazon.com/shield/faqs/
BEST way is the key word