AWS Certified Solutions Architect – Associate (SAA-C03) — Question 900

A company is building an application in the AWS Cloud. The application is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses Amazon Route 53 for the DNS.

The company needs a managed solution with proactive engagement to detect against DDoS attacks.

Which solution will meet these requirements?

Answer options

• A. Enable AWS Config. Configure an AWS Config managed rule that detects DDoS attacks.
• B. Enable AWS WAF on the ALCreate an AWS WAF web ACL with rules to detect and prevent DDoS attacks. Associate the web ACL with the ALB.
• C. Store the ALB access logs in an Amazon S3 bucket. Configure Amazon GuardDuty to detect and take automated preventative actions for DDoS attacks.
• D. Subscribe to AWS Shield Advanced. Configure hosted zones in Route 53. Add ALB resources as protected resources.

Correct answer: D

Explanation

AWS Shield Advanced offers comprehensive DDoS protection that includes proactive engagement and 24/7 access to the AWS Shield Response Team (SRT) during an event. This service directly protects resources such as Application Load Balancers and Route 53 hosted zones. Other services like AWS WAF, AWS Config, and Amazon GuardDuty do not provide the specialized, proactive human response and managed DDoS mitigation features offered by Shield Advanced.