AWS Certified Solutions Architect – Associate (SAA-C02) — Question 333

A company is preparing to launch a public-facing web application in the AWS Cloud. The architecture consists of Amazon EC2 instances within a VPC behind an
Elastic Load Balancer (ELB). A third party service is used for the DNS. The company's solutions architect must recommend a solution to detect and protect against largescale DDoS attacks.
Which solution meets these requirements?

Answer options

• A. Enable Amazon GuardDuty on the account.
• B. Enable Amazon Inspector on the EC2 instances.
• C. Enable AWS Shield and assign Amazon Route 53 to it.
• D. Enable AWS Shield Advanced and assign the ELB to it.

Correct answer: D

Explanation

AWS Shield Advanced provides specialized, automatic mitigation and detailed attack diagnostics for resources like Elastic Load Balancers (ELBs), making it the ideal choice since the company uses a third-party DNS provider. AWS Shield Standard is a basic tier that cannot be manually associated with specific resources in this manner, and Route 53 is not in use here. Amazon GuardDuty and Amazon Inspector are security services for threat detection and vulnerability assessment, respectively, and do not provide active DDoS mitigation.