AWS Certified Solutions Architect – Associate (SAA-C03) — Question 60

A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)

Answer options

• A. Use AWS Shield Advanced to stop the DDoS attack.
• B. Configure Amazon GuardDuty to automatically block the attackers.
• C. Configure the website to use Amazon CloudFront for both static and dynamic content.
• D. Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
• E. Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization.

Correct answer: A, C

Explanation

AWS Shield Advanced is specifically designed to provide enhanced DDoS protection, making option A the correct choice. Additionally, using Amazon CloudFront can help distribute traffic and absorb DDoS attacks, which is why option C is also correct. The other options do not directly address the mitigation of a large-scale DDoS attack effectively or are not suitable for this scenario.