AWS Certified Solutions Architect – Associate (SAA-C03) — Question 181

A company is designing a cloud communications platform that is driven by APIs. The application is hosted on Amazon EC2 instances behind a Network Load Balancer (NLB). The company uses Amazon API Gateway to provide external users with access to the application through APIs. The company wants to protect the platform against web exploits like SQL injection and also wants to detect and mitigate large, sophisticated DDoS attacks.

Which combination of solutions provides the MOST protection? (Choose two.)

Answer options

• A. Use AWS WAF to protect the NLB.
• B. Use AWS Shield Advanced with the NLB.
• C. Use AWS WAF to protect Amazon API Gateway.
• D. Use Amazon GuardDuty with AWS Shield Standard
• E. Use AWS Shield Standard with Amazon API Gateway.

Correct answer: B, C

Explanation

The most effective protection comes from using AWS Shield Advanced with the NLB to defend against sophisticated DDoS attacks and implementing AWS WAF to secure Amazon API Gateway from web exploits like SQL injection. Other options either do not provide sufficient protection against DDoS attacks (like AWS Shield Standard) or do not cover both layers of the application (like using AWS WAF only for the NLB).