AWS Certified Solutions Architect – Associate (SAA-C02) — Question 707

A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses.
Downtime is not acceptable for the website. Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)

Answer options

• A. Use AWS Shield Advanced to stop the DDoS attack.
• B. Configure Amazon GuardDuty to automatically block the attackers.
• C. Configure the website to use Amazon CloudFront for both static and dynamic content.
• D. Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
• E. Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization.

Correct answer: A, C

Explanation

AWS Shield Advanced provides comprehensive, managed DDoS protection that can automatically detect and mitigate large-scale attacks. Utilizing Amazon CloudFront to serve both static and dynamic content caches web content at edge locations, which absorbs traffic surges and shields the origin EC2 instances from direct exposure. Other options like modifying VPC network ACLs via Lambda are ineffective for attacks from thousands of IPs due to strict network ACL rule limits, and Amazon GuardDuty is a detection service rather than an inline mitigation tool.