AWS Certified Solutions Architect – Professional — Question 390

What combination of steps could a Solutions Architect take to protect a web workload running on Amazon EC2 from DDoS and application layer attacks? (Choose two.)

Answer options

• A. Put the EC2 instances behind a Network Load Balancer and configure AWS WAF on it.
• B. Migrate the DNS to Amazon Route 53 and use AWS Shield.
• C. Put the EC2 instances in an Auto Scaling group and configure AWS WAF on it.
• D. Create and use an Amazon CloudFront distribution and configure AWS WAF on it.
• E. Create and use an internet gateway in the VPC and use AWS Shield.

Correct answer: B, D

Explanation

Using Amazon CloudFront integrated with AWS WAF protects the application layer (Layer 7) by filtering malicious HTTP/HTTPS requests. Migrating DNS to Amazon Route 53 paired with AWS Shield provides comprehensive protection against infrastructure-layer (Layer 3 and 4) DDoS attacks. Other options are incorrect because AWS WAF cannot be directly attached to a Network Load Balancer or an Auto Scaling group, and AWS Shield cannot be directly configured on an internet gateway.