A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)
To protect a website from a large-scale DDoS attack and ensure high availability, the solutions architect should use AWS Shield Advanced and Amazon CloudFront. AWS Shield Advanced provides advanced DDoS protection for AWS resources and includes features such as threat intelligence and automatic protection, which are essential for stopping the DDoS attack. Amazon CloudFront, as a content delivery network, distributes requests across multiple edge locations, helping to absorb the impact of the attack and reduce the risk of downtime. Both options are crucial for mitigating DDoS attacks while maintaining availability.
I think it is AC, reason is they require a solution that is highly available. AWS Shield can handle the DDoS attacks. To make the solution HA you can use cloud front. AC seems to be the best answer imo. AB seem like redundant answers. How do those answers make the solution HA?
A - AWS Shield Advanced C - (protecting this option) IMO: AWS Shield Advanced has to be attached. But it can not be attached directly to EC2 instances. According to the docs: https://aws.amazon.com/shield/ It requires to be attached to services such as CloudFront, Route 53, Global Accelerator, ELB or (in the most direct way using) Elastic IP (attached to the EC2 instance)
Option A. Use AWS Shield Advanced to stop the DDoS attack. It provides always-on protection for Amazon EC2 instances, Elastic Load Balancers, and Amazon Route 53 resources. By using AWS Shield Advanced, the solutions architect can help protect the website from large-scale DDoS attacks. Option C. Configure the website to use Amazon CloudFront for both static and dynamic content. CloudFront is a content delivery network (CDN) that integrates with other Amazon Web Services products, such as Amazon S3 and Amazon EC2, to deliver content to users with low latency and high data transfer speeds. By using CloudFront, the solutions architect can distribute the website's content across multiple edge locations, which can help absorb the impact of a DDoS attack and reduce the risk of downtime for the website.
A: For DDoS attakcs C: For scalable available site B: Irrelevant D: How would Lambda identify the attacker IP even if this was possible (ACL has a limit of 40 rules each way) E: Scaling is not an issue here
A. AWS Shield Advanced provides advanced DDoS protection for AWS resources, including EC2. It includes features such as real-time threat intelligence, automatic protection, and DDoS cost protection. C. CloudFront is a CDN service that can help mitigate DDoS attacks. By routing traffic through CloudFront, requests to the website are distributed across multiple edge locations, which can absorb and mitigate DDoS attacks more effectively. CloudFront also provides additional DDoS protection features, such as rate limiting, SSL/TLS termination, and custom security policies. B. While GuardDuty can detect and provide insights into potential malicious activity, it is not specifically designed for DDoS mitigation. D. Network ACLs are not designed to handle high-volume traffic or DDoS attacks efficiently. E. Spot Instances are a cost optimization strategy and may not provide the necessary availability and protection against DDoS attacks compared to using dedicated instances with DDoS protection mechanisms like Shield Advanced and CloudFront.
D should be the one here
"Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs"?????
Key word: DDoS attack will choose the AWS Shield Advanced Cloudfront have attached the WAF
Cloud front supports SHIELD ADVANCED integration
Mitigate a large-scale DDoS attack = AWS Shield Advanced Downtime is not acceptable for the website = high availability = Amazon CloudFront
A - use aws shield advanced for DDoS protection, but it cannot be used with EC2 instace if it's not using EIP, which is not mentioned C - but it can be used with cloudfront distribution thus AC is the answer
DDos is better with shield and Cloudfront also provide protection for ddos
A & C but no fully understand why cloudfront is opted. The customer does not need it, and it's not exactly cheap. Yes it could serve the cached content to the attacker, alighting the job in backend, but as I said it's not cheap, and the OOTB AWS Shield is free and can cope with the attack (as far as it won't be waf-style-attack).
Because AWS Shield Advanced can't be directly attached to an EC2 instance. Yes, it says everything that 'AWS Shield Advanced can protect EC2 instances', but it still needs CloudFront inbetween.
Cloud front supports SHIELD ADVANCED integration
yeah , AWS Shield Advanced can be used directly on EC2..... https://docs.aws.amazon.com/waf/latest/developerguide/ddos-protections-by-resource-type.html
Why D then?
A - no brainer E = "must design a highly available infrastructure". I am not sure if CloudFront addresses this requirement.
Is CloudFront not HA? Answer E uses Spot instances which might be unavailable, thus are NEVER an option for HA.
pentium75 is right.
You are right if it was On demand instances we could think of E
DDoS attack will choose the AWS Shield Advanced Cloudfront have attached the WAF
AC is more close to meet the requirenment
A and C is the most logical combination, we implement cloudfront so we can use shield advanced. Both of these options mitigate the impact of a DDOS attack.