Question #1209
A startup is launching a high-traffic e-commerce platform on AWS and needs to mitigate volumetric Distributed Denial of Service (DDoS) attacks directed at their network infrastructure. Which AWS service provides automatic protection against such network layer attacks?
AWS WAF
Amazon GuardDuty
AWS Firewall Manager
AWS Shield
Explanation
AWS Shield is the correct answer because it is AWS's managed DDoS protection service. Shield Standard (automatically included for all AWS customers) defends against common network-layer DDoS attacks, while Shield Advanced (paid service) offers enhanced protection for sophisticated attacks. Volumetric DDoS attacks aim to overwhelm network bandwidth, and Shield operates at the network layer (Layer 3/4) to detect and mitigate such traffic automatically.
Why other options are incorrect:
- A. AWS WAF: Operates at the application layer (Layer 7) to filter HTTP/HTTPS traffic using rules, not network-layer attacks.
- B. Amazon GuardDuty: A threat detection service that identifies malicious activity but does not mitigate DDoS attacks.
- C. AWS Firewall Manager: A centralized tool to manage WAF rules and other firewall configurations but does not provide inherent DDoS protection.
Key Points:
- Shield is purpose-built for DDoS protection at the network layer.
- Volumetric attacks target bandwidth/resources, requiring network-layer mitigation.
- AWS WAF and Shield address different layers (Layer 7 vs. Layer 3/4).
Answer
The correct answer is: D