AWS Certified Security – Specialty — Question 109

A global company must mitigate and respond to DDoS attacks at Layers 3, 4 and 7. All of the company's AWS applications are serverless with static content hosted on Amazon S3 using Amazon CloudFront and Amazon Route 53.
Which solution will meet these requirements?

Answer options

• A. Use AWS WAF with an upgrade to the AWS Business support plan.
• B. Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity.
• C. Use AWS Shield Advanced.
• D. Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.

Correct answer: C

Explanation

The correct answer is C, as AWS Shield Advanced provides comprehensive DDoS protection specifically designed for AWS services, covering Layers 3, 4, and 7. Option A only offers some protection through AWS WAF but does not address the full scope of DDoS threats. Option B focuses on SSL/TLS management and load balancing, which does not directly mitigate DDoS attacks, while Option D does not provide a complete DDoS mitigation strategy and is limited to protecting specific AWS resources.