Question 12
Domain 2: Security and ComplianceA company hosts a public web application on AWS and wants protection from large-scale Distributed Denial of Service (DDoS) attacks with minimal operational effort. Which of the following is NOT an appropriate way to address this requirement?
Correct answer: B
Explanation
Security groups and network ACLs are stateful and stateless traffic filters, not DDoS mitigation services, so they do not provide the “large-scale” attack protection the question asks for. AWS managed services like AWS Shield are designed for this need with “minimal operational effort,” so relying only on SGs and NACLs is not an appropriate approach.
Why each option is right or wrong
A. Enable and rely on AWS Shield Standard, which provides automatic DDoS protection for supported services such as Amazon CloudFront and Elastic Load Balancing.
B. Rely only on security groups and network ACLs to stop DDoS attacks, without using any AWS managed DDoS protection services.
Security groups and network ACLs are traffic-filtering controls at the instance and subnet layers, not DDoS mitigation services, so they do not provide the large-scale attack absorption or automatic response expected here. AWS Shield Standard is enabled automatically at no extra cost for AWS edge services, and AWS Shield Advanced adds managed DDoS protection with 24/7 access to the AWS DDoS Response Team, making a filter-only approach inadequate for the stated requirement of minimal operational effort.
C. Purchase AWS Shield Advanced for critical resources to get enhanced DDoS protections, visibility, and access to the AWS DDoS Response Team (DRT).
D. Deploy AWS WAF with Amazon CloudFront to filter malicious HTTP(S) requests before they reach the application origin.