AWS Certified Solutions Architect – Associate (SAA-C02) — Question 743

A company is designing a cloud communications platform that is driven by APIs. The application is hosted on Amazon EC2 instances behind a Network Load
Balancer (NLB). The company uses Amazon API Gateway to provide external users with access to the application through APIs. The company wants to protect the platform against web exploits like SQL injection and also wants to detect and mitigate large, sophisticated DDoS attacks.
Which combination of solutions provides the MOST protection? (Choose two.)

Answer options

• A. Use AWS WAF to protect the NLB.
• B. Use AWS Shield Advanced with the NLB.
• C. Use AWS WAF to protect Amazon API Gateway.
• D. Use Amazon GuardDuty with AWS Shield Standard.
• E. Use AWS Shield Standard with Amazon API Gateway.

Correct answer: B, C

Explanation

AWS WAF can be directly integrated with Amazon API Gateway to protect against application-layer exploits like SQL injection. To defend against sophisticated network and transport layer DDoS attacks, AWS Shield Advanced should be associated with the Network Load Balancer (NLB). AWS WAF cannot be directly attached to an NLB, and AWS Shield Standard lacks the advanced detection and mitigation capabilities required for sophisticated DDoS threats.