Question #930
Which AWS service safeguards applications against distributed denial-of-service (DDoS) attacks by providing continuous monitoring and automatic mitigations at the network and transport layers?
AWS Web Application Firewall (AWS WAF)
AWS Shield
Amazon Inspector
AWS Config
Explanation
The correct answer is B. AWS Shield. Here's why:
- AWS Shield is AWS's managed DDoS protection service. It offers two tiers: Shield Standard (free, automatic protection against common DDoS attacks at Layers 3/4) and Shield Advanced (paid, enhanced protection with 24/7 access to AWS DDoS experts). Both tiers provide continuous monitoring and automatic mitigations for network/transport-layer attacks.
- Why other options are incorrect:
- A. AWS WAF: Operates at the application layer (Layer 7) to block web exploits (e.g., SQL injection), not DDoS attacks at Layers 3/4.
- C. Amazon Inspector: Focuses on vulnerability assessments for EC2 instances and container images, not DDoS mitigation.
- D. AWS Config: Tracks resource configuration changes for compliance auditing, unrelated to DDoS protection.
Key Points:
- Shield is purpose-built for DDoS protection at Layers 3/4.
- WAF handles Layer 7 security.
- DDoS mitigation requires specialized services like Shield.
Answer
The correct answer is: B