Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 159 discussion

AWS Shield Advanced is focused on protecting against DDoS attacks, while AWS WAF is focused on protecting against web exploits. However, both services can be used together to provide comprehensive protection for your applications.

I chose B since this is a DDOS attack and also option A could cause issues if legitimate traffic gets thrown on the ACL deny list

" The access logs show that each attack originates from different IP addresses. " implies DDoS

Nothing mentioned about DDoS in the question, plus A is simplier and less operational oevrhead

Option B sounds most logical answer in terms of least operational overhead. though it does not provide details about how to identify and add those IP addresses to Shield Advanced for DDos protection.

I think its option A. Option B is a paid service and it is for DDoS. Here that attack is not DDoS and it is excess traffic generated at application layer by certain IPs. Not in a distributed attack pattern. Advanced shield will give DDoS+WAF. But you already have WAF and using which you can block the IPs that is crossing set threshold. So option A is better choice. Option B is additional cost. Option C is wrong as you can not add deny rule in route table. Route table has only routes. Option D is operational overhead and then if you block the whole country , genuine traffic will also get blocked, which is not good.

"Least" Operational Overhead - B

B 100%

Research more information and correct my answer Letter B with this information https://docs.aws.amazon.com/waf/latest/developerguide/ddos-app-layer-protections.html

For me it would be the letter A Because AWS Shield Advanced is for DDOS attacks that happen at layer 3. However, in the question they say attacks in the application layer "The website often encounters attacks in the application layer." For this reason, I would consider that it cannot be B and A would be a more feasible solution. If anyone has more data, welcome to improve the community Attached answer from Bard from Google Here are some additional details about each solution:

״with the LEAST operational overhead״ is AWS SHIELD Advanced without doubts✅

B 100% AWS SHIELD

Deploy AWS Shield Advanced in addition to AWS WAF.

as long as i know or think to know, shield advanced, does nothing by default and needs to be configured. https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-ddos.html Note Shield Advanced doesn't automatically protect your resources after you subscribe. You must specify the resources you want Shield Advanced to protect configure the protections.

According to ChatGPT, the ff are what you get with Advanced over Basic. AWS Shield Advanced is a paid version of the service that provides additional protection against large scale and sophisticated DDoS attacks. This version includes all the features of the Basic version, but with additional capabilities such as 24/7 availability, a dedicated DDoS response team, and advanced attack analytics and reporting. Additionally, AWS Shield Advanced provides access to advanced DDoS protection and mitigation capabilities, such as the ability to customize protections for specific application requirements, and to mitigate attacks more quickly and effectively.

Reading more about option B, I pick B

Not sure. With WAF you get Shield, which hs DDoS. Not sure the the Shield dvnced gives you much more.