AWS Certified Security – Specialty (SCS-C02) — Question 146

A company is worried about potential DDoS attacks. The company has a web application that runs on Amazon EC2 instances. The application uses Amazon S3 to serve static content such as images and videos.

A security engineer must create a resilient architecture that can withstand DDoS attacks.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Create an Amazon CloudWatch alarm that invokes an AWS Lambda function when an EC2 instance’s CPU utilization reaches 90%. Program the Lambda function to update security groups that are attached to the EC2 instance to deny inbound ports 80 and 443.
• B. Put the EC2 instances into an Auto Scaling group behind an Elastic Load Balancing (ELB) load balancer. Use Amazon CioudFront with Amazon S3 as an origin.
• C. Set up a warm standby disaster recovery (DR) environment. Fail over to the warm standby DR environment if a DDoS attack is detected on the application.
• D. Subscribe to AWS Shield Advanced. Configure permissions to allow the Shield Response Team to manage resources on the company's behalf during a DDoS event.

Correct answer: B

Explanation

The correct answer, B, is effective because it leverages both Auto Scaling and Elastic Load Balancing to distribute traffic and handle fluctuations in demand, while also using Amazon CloudFront to cache static content, reducing the load on EC2 instances. Option A is reactive and does not provide a preventative architecture against DDoS attacks. Option C is more of a recovery solution rather than a preventative measure, and option D, while beneficial, incurs ongoing costs that may not be as cost-effective as the combination of services in option B.