Protecting Your High Visibility Website
Question
Your company has a high visibility website, and it is prone to frequent DDoS attacks.
The application is hosted in an AWS Auto Scaling group with an application load balancer and a CloudFront distribution that distributes the traffic.
A Service is required to protect the application against layer 7 DDoS attacks, and you also need cost protection for the scaling charges as a result of a DDoS attack.
Which of the following options can achieve the requirements?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
AWS WAF, AWS Firewall Manager, and AWS Shield work together to create a comprehensive security solution.
To determine which service to choose, please check https://docs.aws.amazon.com/waf/latest/developerguide/waf-which-to-choose.html.
Option A is incorrect: As cost protection is required, AWS Shield Advanced should be selected.
With AWS Shield Advanced, customers can request credits if resources scale up because of a DDoS attack.
Option B is incorrect: Because AWS Shield Standard does not support cost protection.
Differences between AWS Shield Standard and AWS Shield Advanced can be found in https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html.
Option C is CORRECT: As a high level of protection, AWS Shield Advanced adds extra features such as DDoS Response Team Support, cost protection and attack forensics reports.
The WAF ACL is also able to protect the application from DDoS attacks.
Option D is incorrect: Because AWS Security Hub is a service that provides a consolidated view of the security and compliance status in AWS.
It is not a service for DDoS protection.
The answer to this question is C. Enable AWS Shield Advanced and add the CloudFront distribution as a protected resource. Configure CloudWatch alarms to monitor the potential DDoS activity. Configure a WAF ACL to protect the application.
Explanation:
AWS Shield is a managed DDoS protection service that provides protection against infrastructure and application layer attacks. AWS Shield Standard is automatically enabled for all AWS customers at no additional cost, and it provides protection against most common infrastructure layer attacks. However, for more advanced protection against layer 7 attacks, AWS Shield Advanced must be enabled.
In this scenario, the application is hosted in an AWS Auto Scaling group with an application load balancer and a CloudFront distribution that distributes the traffic. To protect against layer 7 DDoS attacks, AWS Shield Advanced should be enabled, and the CloudFront distribution should be added as a protected resource.
In addition, CloudWatch alarms should be configured to monitor potential DDoS activity. This will help detect any abnormal spikes in traffic and trigger alerts if necessary. Finally, a WAF ACL should be configured to protect the application. This will allow for more granular control over the types of traffic that are allowed to access the application, and it can be used to block known malicious IPs or requests.
Option A is incorrect because it only protects the CloudFront distribution and not the application itself. Additionally, it does not provide cost protection for the scaling charges.
Option B is incorrect because it only provides automatic protection against layer 7 DDoS attacks, but it does not provide cost protection for the scaling charges.
Option D is incorrect because it only configures DDoS protection standards in AWS Security Hub and uses AWS WAF rules to protect the application. It does not provide cost protection for the scaling charges, nor does it provide the advanced layer 7 protection that AWS Shield Advanced offers.
