AWS Certified Security – Specialty — Question 123

A Website currently runs on Amazon EC2, with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future.
What are some ways the Engineer could achieve this? (Choose three.)

Answer options

• A. Use AWS X-Ray to inspect the traffic going to the EC2 instances.
• B. Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution.
• C. Change the security group configuration to block the source of the attack traffic.
• D. Use AWS WAF security rules to inspect the inbound traffic.
• E. Use Amazon Inspector assessment templates to inspect the inbound traffic.
• F. Use Amazon Route 53 to distribute traffic.

Correct answer: B, D, F

Explanation

Option B is correct because moving static content to Amazon S3 and using Amazon CloudFront helps offload traffic and provides DDoS protection. Option D is also correct as AWS WAF can filter and monitor incoming traffic based on set rules, enhancing security. Option F is correct since Amazon Route 53 can help in traffic distribution and management, which can mitigate DDoS impacts. Options A, C, and E are not optimal solutions for mitigating DDoS attacks.