A solutions architect must design a highly available infrastructure for a website powered by Windows web servers on Amazon EC2 instances. The solution must mitigate a large-scale DDoS attack originating from thousands of IP addresses. Downtime is not acceptable. Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Use AWS Shield Advanced to stop the DDoS attack., Configure the website to use Amazon CloudFront for both static and dynamic content..
Why this is the answer
AWS Shield Advanced provides enhanced DDoS protection for applications running on AWS, including automatic detection and mitigation of large-scale attacks, making it ideal for preventing downtime from thousands of IP addresses. Amazon CloudFront, as a global content delivery network (CDN), caches content closer to users and absorbs a significant portion of DDoS traffic before it reaches the origin servers. It also integrates with AWS Shield for further protection. GuardDuty is a threat detection service, not a DDoS mitigation service; it can identify malicious activity but doesn't automatically block attackers. Using Lambda to update NACLs for thousands of IPs is inefficient and reactive, not proactive DDoS protection. EC2 Spot Instances are for cost optimization and can be interrupted, making them unsuitable for critical, highly available web servers, and an Auto Scaling policy based on CPU utilization won't directly mitigate a DDoS attack.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed