AWS Certified Solutions Architect – Professional — Question 434

You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks.
Which of the below are viable mitigation techniques? (Choose three.)

Answer options

• A. Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
• B. Use dedicated instances to ensure that each instance has the maximum performance possible.
• C. Use an Amazon CloudFront distribution for both static and dynamic content.
• D. Use an Elastic Load Balancer with auto scaling groups at the web, app and Amazon Relational Database Service (RDS) tiers
• E. Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
• F. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.

Correct answer: C, D, E

Explanation

Amazon CloudFront (C) absorbs traffic at the AWS edge to protect backend resources, while Elastic Load Balancing combined with Auto Scaling (D) ensures the application can scale dynamically to handle sudden spikes in traffic. Setting up Amazon CloudWatch alarms (E) provides critical visibility by alerting administrators to unusual spikes in CPU and network usage. Other methods, such as adding ENIs, using dedicated instances, or managing OS-level firewalls, do not provide scalable or effective DDoS mitigation.