AWS Certified Solutions Architect – Associate (SAA-C03) — Question 385

A company has implemented a self-managed DNS service on AWS. The solution consists of the following:

• Amazon EC2 instances in different AWS Regions
• Endpoints of a standard accelerator in AWS Global Accelerator

The company wants to protect the solution against DDoS attacks.

What should a solutions architect do to meet this requirement?

Answer options

• A. Subscribe to AWS Shield Advanced. Add the accelerator as a resource to protect.
• B. Subscribe to AWS Shield Advanced. Add the EC2 instances as resources to protect.
• C. Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the accelerator.
• D. Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the EC2 instances.

Correct answer: A

Explanation

AWS Shield Advanced provides specialized DDoS protection and can be associated directly with AWS Global Accelerator, which acts as the entry point for the DNS traffic and shields the backend EC2 instances. AWS WAF is designed for Layer 7 HTTP/HTTPS traffic and cannot protect or be directly associated with standard accelerators for DNS (UDP/TCP port 53) traffic. Protecting the accelerator itself at the edge is the most effective way to mitigate DDoS attacks before they reach the EC2 instances.