A company is building a cloud communications platform driven by APIs. The application runs on Amazon EC2 instances behind a Network Load Balancer (NLB), and external users access the application through Amazon API Gateway. The company needs protection from web exploits such as SQL injection and also wants to detect and mitigate large, sophisticated DDoS attacks. Which combination of solutions provides the MOST protection? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Use AWS Shield Advanced with the NLB., Use AWS WAF to protect Amazon API Gateway..
Why this is the answer
The correct options provide comprehensive protection. AWS WAF (Web Application Firewall) protects the API Gateway from common web exploits like SQL injection and cross-site scripting, as API Gateway is an HTTP/HTTPS endpoint. AWS Shield Advanced, when associated with the NLB, offers enhanced DDoS protection, including detection and mitigation of large, sophisticated attacks, and provides cost protection against scaling charges from DDoS events. Incorrect options: Using AWS WAF to protect the NLB is incorrect because NLBs operate at Layer 4 (transport layer) and do not support WAF integration, which operates at Layer 7 (application layer). Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, but it does not directly mitigate DDoS attacks or web exploits. AWS Shield Standard provides basic DDoS protection automatically for all AWS customers but lacks the advanced features and dedicated support needed for large, sophisticated attacks. Associating it directly with API Gateway doesn't provide the comprehensive, multi-layered protection required.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed