AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 64

A company that runs multiple workloads on AWS wants to enhance its security posture by implementing DNS-based threat protection. The company must block DNS-based attacks.
Which solution will meet this requirement?

Answer options

• A. Deploy AWS Shield Advanced to filter and block malicious DNS queries. Set up domain filtering policies.
• B. Use AWS WAF to inspect DNS traffic for malicious domains. Create custom rules to block known threats.
• C. Configure Amazon Route 53 Resolver to forward DNS queries to Route 53 Resolver DNS Firewall Advanced to detect and filter threats.
• D. Configure AWS Config to monitor DNS queries and DNS traffic patterns. Use an AWS Lambda function to prevent access to malicious domains.

Correct answer: C

Explanation

The correct answer is C because Amazon Route 53 Resolver DNS Firewall Advanced is specifically designed for detecting and filtering DNS threats. Option A, while relevant for DDoS protection, does not specifically address DNS-based attacks. Option B focuses on web application traffic rather than DNS, and Option D involves monitoring DNS without directly preventing DNS-based attacks.