Question 17
Domain 3: Infrastructure SecurityA website currently runs on Amazon EC2, with mostly static content on the site. Recently, the site was subjected to a DDoS attack, and a Security Engineer was tasked with redesigning the edge security to help mitigate this risk in the future. What are some ways the Engineer could achieve this?
Correct answer: D
Explanation
AWS edge defenses for a DDoS include “AWS WAF,” “load balancers,” “Amazon CloudFront,” and “AWS Shield.” The guide also says to use “layers of defense by combining edge security services” and to apply “rate limit” and other restrictions at the edge, so combining these measures is the right approach.
Why each option is right or wrong
A. Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution.
CloudFront can front static content, reducing direct origin exposure at the edge.
B. Use AWS WAF security rules to inspect the inbound traffic.
AWS WAF inspects inbound traffic and supports edge restrictions like rate limiting.
C. Use Amazon Route 53 to distribute traffic.
Amazon Route 53 is an edge service used to distribute traffic and support resilience.
D. All of the above
Each of the listed options is a valid answer; all are needed.