A company hosts its public ecommerce website on AWS. The site uses an AWS Global Accelerator accelerator for internet traffic. The accelerator forwards traffic to an Application Load Balancer (ALB) that fronts an Auto Scaling group. The company recently detected a DDoS attack and wants a solution to mitigate future attacks with the LEAST implementation effort. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure an AWS WAF web ACL on the ALB to block traffic using rate-based rules..
Why this is the answer
The correct solution is to configure an AWS WAF web ACL on the ALB to block traffic using rate-based rules. AWS WAF provides protection against common web exploits and bots, and rate-based rules automatically block IP addresses that send too many requests within a configurable time period, effectively mitigating DDoS attacks. Attaching WAF directly to the ALB is a straightforward implementation for this architecture. Configuring WAF on Global Accelerator is incorrect because Global Accelerator operates at Layer 4 (TCP/UDP), while WAF operates at Layer 7 (HTTP/HTTPS). WAF cannot be directly associated with Global Accelerator. Using an AWS Lambda function to update VPC network ACLs is overly complex and reactive. Network ACLs are stateless and operate at a lower level, making them less effective and harder to manage for dynamic web application attacks compared to WAF. Placing CloudFront in front of Global Accelerator is unnecessary and adds complexity. Global Accelerator already optimizes traffic routing globally, and CloudFront is typically used for content delivery and caching, not as a primary DDoS mitigation layer in this specific setup where Global Accelerator is already in place.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed