Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 104 discussion

I think it is AC, reason is they require a solution that is highly available. AWS Shield can handle the DDoS attacks. To make the solution HA you can use cloud front. AC seems to be the best answer imo. AB seem like redundant answers. How do those answers make the solution HA?

Option A. Use AWS Shield Advanced to stop the DDoS attack. It provides always-on protection for Amazon EC2 instances, Elastic Load Balancers, and Amazon Route 53 resources. By using AWS Shield Advanced, the solutions architect can help protect the website from large-scale DDoS attacks. Option C. Configure the website to use Amazon CloudFront for both static and dynamic content. CloudFront is a content delivery network (CDN) that integrates with other Amazon Web Services products, such as Amazon S3 and Amazon EC2, to deliver content to users with low latency and high data transfer speeds. By using CloudFront, the solutions architect can distribute the website's content across multiple edge locations, which can help absorb the impact of a DDoS attack and reduce the risk of downtime for the website.

AWS Shield Advanced protects form DDos attacks while CloudFront deals with the downtime.

Note great options for us to select but AC seem make more sense comparing to others

CoPilot - "No, you do not need Amazon CloudFront to implement AWS Shield Advanced. AWS Shield Advanced provides protection for several AWS services, including Amazon EC2, Elastic Load Balancing (ELB), AWS Global Accelerator, and Amazon Route 53 resources, in addition to CloudFront distributions1. It’s designed to offer more sophisticated protection against Distributed Denial of Service (DDoS) attacks, regardless of the AWS service being used1. However, it’s important to note that while CloudFront is not a requirement, using AWS Shield Advanced with CloudFront can enhance your application’s security by providing additional DDoS protection."

A and C is the most logical combination, we implement cloudfront so we can use shield advanced. Both of these options mitigate the impact of a DDOS attack.

AC is more close to meet the requirenment

A: For DDoS attakcs C: For scalable available site B: Irrelevant D: How would Lambda identify the attacker IP even if this was possible (ACL has a limit of 40 rules each way) E: Scaling is not an issue here

A - use aws shield advanced for DDoS protection, but it cannot be used with EC2 instace if it's not using EIP, which is not mentioned C - but it can be used with cloudfront distribution thus AC is the answer

DDoS attack will choose the AWS Shield Advanced Cloudfront have attached the WAF

A - no brainer E = "must design a highly available infrastructure". I am not sure if CloudFront addresses this requirement.

Mitigate a large-scale DDoS attack = AWS Shield Advanced Downtime is not acceptable for the website = high availability = Amazon CloudFront

yeah , AWS Shield Advanced can be used directly on EC2..... https://docs.aws.amazon.com/waf/latest/developerguide/ddos-protections-by-resource-type.html

Cloud front supports SHIELD ADVANCED integration

Cloud front supports SHIELD ADVANCED integration

D should be the one here

A. AWS Shield Advanced provides advanced DDoS protection for AWS resources, including EC2. It includes features such as real-time threat intelligence, automatic protection, and DDoS cost protection. C. CloudFront is a CDN service that can help mitigate DDoS attacks. By routing traffic through CloudFront, requests to the website are distributed across multiple edge locations, which can absorb and mitigate DDoS attacks more effectively. CloudFront also provides additional DDoS protection features, such as rate limiting, SSL/TLS termination, and custom security policies. B. While GuardDuty can detect and provide insights into potential malicious activity, it is not specifically designed for DDoS mitigation. D. Network ACLs are not designed to handle high-volume traffic or DDoS attacks efficiently. E. Spot Instances are a cost optimization strategy and may not provide the necessary availability and protection against DDoS attacks compared to using dedicated instances with DDoS protection mechanisms like Shield Advanced and CloudFront.