AWS Certified Solutions Architect – Associate (SAA-C03) — Question 912

A company uses AWS to host its public ecommerce website. The website uses an AWS Global Accelerator accelerator for traffic from the internet. The Global Accelerator accelerator forwards the traffic to an Application Load Balancer (ALB) that is the entry point for an Auto Scaling group.

The company recently identified a DDoS attack on the website. The company needs a solution to mitigate future attacks.

Which solution will meet these requirements with the LEAST implementation effort?

Answer options

• A. Configure an AWS WAF web ACL for the Global Accelerator accelerator to block traffic by using rate-based rules
• B. Configure an AWS Lambda function to read the ALB metrics to block attacks by updating a VPC network ACL
• C. Configure an AWS WAF web ACL on the ALB to block traffic by using rate-based rules
• D. Configure an Amazon CloudFront distribution in front of the Global Accelerator accelerator

Correct answer: C

Explanation

Configuring AWS WAF with rate-based rules directly on the Application Load Balancer (ALB) is the most straightforward and least effort-intensive way to mitigate layer 7 DDoS attacks. Creating a custom AWS Lambda solution to modify network ACLs is highly complex and prone to hitting network ACL rule limits. Placing Amazon CloudFront in front of AWS Global Accelerator is architecturally redundant and does not offer a simpler mitigation path than securing the existing ALB with AWS WAF.