Question #1188
A company is experiencing frequent DDoS attacks targeting its globally distributed web application, which uses Amazon CloudFront. The security team wants to enhance protection against infrastructure-layer attacks while minimizing downtime. What should the solutions architect implement to address this threat effectively?
Deploy AWS WAF rules to block malicious traffic patterns.
Enable AWS Shield Standard for automatic DDoS mitigation.
Activate AWS Shield Advanced for advanced DDoS protections.
Use AWS Config to audit and enforce DDoS resilience policies.
Explanation
The correct answer is C (Activate AWS Shield Advanced). Here's why:
- Infrastructure-layer attacks (e.g., UDP/ICMP floods) target Layers 3/4. AWS Shield Advanced specializes in mitigating these attacks, while AWS WAF (A) focuses on Layer 7 (application-layer) threats.
- AWS Shield Standard (B) is automatically enabled but only provides basic DDoS protection. It lacks advanced features like 24/7 DDoS response team support and custom mitigations, which are critical for frequent/severe attacks.
- AWS Config (D) audits compliance but does not mitigate attacks.
Shield Advanced offers:
1. Advanced DDoS detection/mitigation for CloudFront, EC2, ELB, etc.
2. Cost protection for scaling during attacks.
3. Direct access to the AWS DDoS Response Team.
Key points:
- Use Shield Advanced for infrastructure-layer DDoS protection.
- Shield Standard is insufficient for frequent/sophisticated attacks.
- WAF and Config are not designed for Layer 3/4 mitigation.
Answer
The correct answer is: C