Question #718
A company is enhancing an e-commerce platform hosted on Amazon ECS with DynamoDB. They've faced increased DDoS attacks and need to ensure minimal downtime during attacks cost-effectively. The setup includes a public ALB for user access.
Which two steps should they take?
Set up CloudFront with the ALB as origin, using a custom origin header. Configure ALB to allow traffic only with that header.
Deploy the application across multiple AWS Regions with Route 53 failover routing.
Implement ElastiCache for DynamoDB to handle increased read traffic.
Enable AWS Shield Advanced for DDoS protection.
Associate an AWS WAF web ACL with the CloudFront distribution, using managed rule groups.
Explanation
A: Using CloudFront as a shield with a custom origin header ensures only traffic via CloudFront reaches the ALB, blocking direct DDoS attacks. E: AWS WAF with managed rules (e.g., AWSManagedRulesCommonRuleSet) filters malicious requests at the CDN layer.
Why not others:
- B: Multi-region deployment is costly and complex, not directly addressing DDoS.
- C: ElastiCache improves read performance but doesn't prevent DDoS.
- D: Shield Advanced offers enhanced DDoS protection but is expensive; the question emphasizes cost-effectiveness.
Key Points: Use CloudFront and WAF for layered, cost-effective DDoS mitigation. Custom headers prevent direct ALB access, while WAF blocks application-layer attacks.
Answer
The correct answer is: AE