AWS Certified Solutions Architect – Associate (SAA-C03) — Question 662

A city has deployed a web application running on Amazon EC2 instances behind an Application Load Balancer (ALB). The application's users have reported sporadic performance, which appears to be related to DDoS attacks originating from random IP addresses. The city needs a solution that requires minimal configuration changes and provides an audit trail for the DDoS sources.

Which solution meets these requirements?

Answer options

• A. Enable an AWS WAF web ACL on the ALB, and configure rules to block traffic from unknown sources.
• B. Subscribe to Amazon Inspector. Engage the AWS DDoS Response Team (DRT) to integrate mitigating controls into the service.
• C. Subscribe to AWS Shield Advanced. Engage the AWS DDoS Response Team (DRT) to integrate mitigating controls into the service.
• D. Create an Amazon CloudFront distribution for the application, and set the ALB as the origin. Enable an AWS WAF web ACL on the distribution, and configure rules to block traffic from unknown sources

Correct answer: C

Explanation

AWS Shield Advanced provides managed DDoS protection directly on the ALB and includes access to the AWS DDoS Response Team (DRT) and comprehensive post-attack diagnostics for auditing, satisfying the minimal configuration constraint. Amazon Inspector is a vulnerability scanner rather than a DDoS protection service, ruling out Option B. Options A and D introduce significant operational overhead and architectural changes, such as setting up Amazon CloudFront or manually writing complex AWS WAF rules.