SAA-C03 Exam QuestionsBrowse all questions from this exam

SAA-C03 Exam - Question 104


A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.

Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)

Show Answer
Correct Answer: AC

To protect a website from a large-scale DDoS attack and ensure high availability, the solutions architect should use AWS Shield Advanced and Amazon CloudFront. AWS Shield Advanced provides advanced DDoS protection for AWS resources and includes features such as threat intelligence and automatic protection, which are essential for stopping the DDoS attack. Amazon CloudFront, as a content delivery network, distributes requests across multiple edge locations, helping to absorb the impact of the attack and reduce the risk of downtime. Both options are crucial for mitigating DDoS attacks while maintaining availability.

Discussion

17 comments
Sign in to comment
alvarez100Options: AC
Oct 16, 2022

I think it is AC, reason is they require a solution that is highly available. AWS Shield can handle the DDoS attacks. To make the solution HA you can use cloud front. AC seems to be the best answer imo. AB seem like redundant answers. How do those answers make the solution HA?

attila9778
Nov 22, 2022

A - AWS Shield Advanced C - (protecting this option) IMO: AWS Shield Advanced has to be attached. But it can not be attached directly to EC2 instances. According to the docs: https://aws.amazon.com/shield/ It requires to be attached to services such as CloudFront, Route 53, Global Accelerator, ELB or (in the most direct way using) Elastic IP (attached to the EC2 instance)

BuruguduystunstugudunstuyOptions: AC
Dec 28, 2022

Option A. Use AWS Shield Advanced to stop the DDoS attack. It provides always-on protection for Amazon EC2 instances, Elastic Load Balancers, and Amazon Route 53 resources. By using AWS Shield Advanced, the solutions architect can help protect the website from large-scale DDoS attacks. Option C. Configure the website to use Amazon CloudFront for both static and dynamic content. CloudFront is a content delivery network (CDN) that integrates with other Amazon Web Services products, such as Amazon S3 and Amazon EC2, to deliver content to users with low latency and high data transfer speeds. By using CloudFront, the solutions architect can distribute the website's content across multiple edge locations, which can help absorb the impact of a DDoS attack and reduce the risk of downtime for the website.

awsgeek75Options: AC
Jan 15, 2024

A: For DDoS attakcs C: For scalable available site B: Irrelevant D: How would Lambda identify the attacker IP even if this was possible (ACL has a limit of 40 rules each way) E: Scaling is not an issue here

cookieMrOptions: AC
Jun 22, 2023

A. AWS Shield Advanced provides advanced DDoS protection for AWS resources, including EC2. It includes features such as real-time threat intelligence, automatic protection, and DDoS cost protection. C. CloudFront is a CDN service that can help mitigate DDoS attacks. By routing traffic through CloudFront, requests to the website are distributed across multiple edge locations, which can absorb and mitigate DDoS attacks more effectively. CloudFront also provides additional DDoS protection features, such as rate limiting, SSL/TLS termination, and custom security policies. B. While GuardDuty can detect and provide insights into potential malicious activity, it is not specifically designed for DDoS mitigation. D. Network ACLs are not designed to handle high-volume traffic or DDoS attacks efficiently. E. Spot Instances are a cost optimization strategy and may not provide the necessary availability and protection against DDoS attacks compared to using dedicated instances with DDoS protection mechanisms like Shield Advanced and CloudFront.

Aash24Option: D
Jul 8, 2023

D should be the one here

pentium75
Dec 26, 2023

"Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs"?????

HericOptions: AC
Apr 17, 2023

Key word: DDoS attack will choose the AWS Shield Advanced Cloudfront have attached the WAF

Guru4CloudOptions: AC
Aug 15, 2023

Cloud front supports SHIELD ADVANCED integration

TariqKipkemeiOptions: AC
Aug 25, 2023

Mitigate a large-scale DDoS attack = AWS Shield Advanced Downtime is not acceptable for the website = high availability = Amazon CloudFront

xdkonorek2Options: AC
Nov 4, 2023

A - use aws shield advanced for DDoS protection, but it cannot be used with EC2 instace if it's not using EIP, which is not mentioned C - but it can be used with cloudfront distribution thus AC is the answer

KhushnaOptions: AC
Feb 19, 2023

DDos is better with shield and Cloudfront also provide protection for ddos

jdr75Options: AC
Apr 5, 2023

A & C but no fully understand why cloudfront is opted. The customer does not need it, and it's not exactly cheap. Yes it could serve the cached content to the attacker, alighting the job in backend, but as I said it's not cheap, and the OOTB AWS Shield is free and can cope with the attack (as far as it won't be waf-style-attack).

pentium75
Dec 26, 2023

Because AWS Shield Advanced can't be directly attached to an EC2 instance. Yes, it says everything that 'AWS Shield Advanced can protect EC2 instances', but it still needs CloudFront inbetween.

diabloexodia
Jul 14, 2023

Cloud front supports SHIELD ADVANCED integration

mtmayerOption: D
Aug 21, 2023

yeah , AWS Shield Advanced can be used directly on EC2..... https://docs.aws.amazon.com/waf/latest/developerguide/ddos-protections-by-resource-type.html

pentium75
Dec 26, 2023

Why D then?

Devsin2000Options: AE
Sep 28, 2023

A - no brainer E = "must design a highly available infrastructure". I am not sure if CloudFront addresses this requirement.

pentium75
Dec 26, 2023

Is CloudFront not HA? Answer E uses Spot instances which might be unavailable, thus are NEVER an option for HA.

LoXoL
Jan 9, 2024

pentium75 is right.

sidharthwader
Feb 29, 2024

You are right if it was On demand instances we could think of E

Ruffyit
Oct 29, 2023

DDoS attack will choose the AWS Shield Advanced Cloudfront have attached the WAF

jatricOptions: AC
Jul 4, 2024

AC is more close to meet the requirenment

jaradat02Options: AC
Jul 22, 2024

A and C is the most logical combination, we implement cloudfront so we can use shield advanced. Both of these options mitigate the impact of a DDOS attack.