A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB) and uses Amazon Route 53 for DNS. The company needs a managed solution with proactive engagement to detect and respond to DDoS attacks. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Subscribe to AWS Shield Advanced. Configure hosted zones in Route 53. Add ALB resources as protected resources..
Why this is the answer
AWS Shield Advanced provides managed DDoS protection with proactive engagement from the AWS DDoS Response Team (DRT), directly addressing the requirement for a managed solution with proactive response. By subscribing to Shield Advanced and protecting the ALB resources, the company gains enhanced DDoS protection beyond what Shield Standard offers. Configuring hosted zones in Route 53 is a prerequisite for routing traffic to the ALB, but the core protection comes from Shield Advanced. Enabling AWS Config and configuring a managed rule is incorrect because AWS Config is primarily for compliance auditing and resource configuration changes, not for real-time DDoS detection and response. Enabling AWS WAF on the ALB with custom rules can help mitigate some DDoS attacks, but it doesn't offer the same level of managed service, proactive engagement, or comprehensive protection against large-scale, sophisticated DDoS attacks as Shield Advanced. Storing ALB access logs in S3 and configuring GuardDuty is incorrect because GuardDuty focuses on threat detection for various AWS services, but it's not designed as a primary, proactive DDoS mitigation service for application-layer attacks on ALBs, nor does it offer the DRT engagement.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed