ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 377 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 377
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company is preparing to launch a public-facing web application in the AWS Cloud. The architecture consists of Amazon EC2 instances within a VPC behind an
Elastic Load Balancer (ELB). A third party service is used for the DNS. The company's solutions architect must recommend a solution to detect and protect against largescale DDoS attacks.
Which solution meets these requirements?

  • A. Enable Amazon GuardDuty on the account.
  • B. Enable Amazon Inspector on the EC2 instances.
  • C. Enable AWS Shield and assign Amazon Route 53 to it.
  • D. Enable AWS Shield Advanced and assign the ELB to it.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by dmscountera at March 11, 2021, 6:13 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dmscountera
Highly Voted 3 years, 7 months ago
D. Enable AWS Shield Advanced and assign the ELB to it. DNS is not route53
upvoted 51 times
Heyang
3 years, 5 months ago
why not a ?
upvoted 1 times
Phyo007
3 years, 4 months ago
A and B only detects and inspect, not protect
upvoted 7 times
...
...
manan728
3 years, 5 months ago
Similar question with multiple answers (pick 2) was on my test on Nov 20 2021. Shield Advanced was one of the choices. The other had to do with Lambda to update the NACL with the IP address of the attacker on the subnet but it didn't mention "deny" in the statement so I didn't select that, GuardDuty was an option and there were two others. I can't remember which one i picked besides Shield Advanced. Those were some tough cookies to choose from. Good luck ya'll.
upvoted 5 times
chael88
2 years, 10 months ago
A user posted this question in this discussion. Scroll down
upvoted 1 times
...
RidzV
3 years, 4 months ago
In that case, second option would be NACL related to reduce the surface of attack. https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.pdf https://aws.amazon.com/shield/ddos-attack-protection/
upvoted 3 times
...
...
...
waqas
Highly Voted 3 years, 7 months ago
D to me....as there are large scale attacks. and secondly to me, C is wrong because Shield standard is by-default enabled......
upvoted 19 times
...
Sinaneos
Most Recent 2 years, 7 months ago
Selected Answer: D
The case includes 3rd party DNS service, not route53. Therefore, that eliminated C and the answer is D
upvoted 1 times
...
cloudwhizkid
2 years, 8 months ago
Answer is D - AWS Shield advanced, check this link https://aws.amazon.com/shield/faqs/
upvoted 1 times
...
naveenagurjara
2 years, 10 months ago
Selected Answer: D
...defending against large-scale DDoS assaults. That's Shield Advanced darlings!!
upvoted 3 times
...
Venki_dev
3 years, 1 month ago
Selected Answer: D
DDoS = AWS Shield
upvoted 3 times
...
tototo
3 years, 4 months ago
Selected Answer: D
Answer D
upvoted 1 times
...
muhsin
3 years, 4 months ago
the answer is C. ELB is not for layer 4 protection. it is NLB.
upvoted 1 times
Babs1976
3 years, 1 month ago
ELB is Elastic Load Balancer this can be either ALB or NLB so D is it bro
upvoted 3 times
...
...
prex
3 years, 4 months ago
Selected Answer: D
Answer D
upvoted 1 times
...
paridhi
3 years, 4 months ago
Can someone answer this question? A company is designing a cloud communications platform trial is driven by APIs. The application is hosted on Amazon EC2 instances behind a Network Load Balancer (NLB). The company uses Amazon API Gateway to provide external users with access to the application through APIs. The company wants to protect the platform against web exploits like SQL Injection and also wants to detect and mitigate large, sophisticated DDoS attacks. Which combination of solutions provides the MOST protection? (Select TWO.) A. Use AWS WAF to protect the NLB B. Use AWS Shield Advanced with the NLB C. Use AWS WAF to protect Amazon API Gateway D. Use Amazon GuardDuty with AWS Shield Standard E. Use AWS Shield Standard with Amazon API Gateway
upvoted 1 times
RVD
3 years, 1 month ago
AWS Standard shield is by default applied on AWS resources level 1 protection. ANS: B & C
upvoted 3 times
...
LETSGETIT
3 years, 3 months ago
Answer is B,C
upvoted 5 times
...
...
silvique_ms
3 years, 5 months ago
AWS Shield is enabled by default and for “defending against large-scale DDoS assaults” I think AWS Shield Advanced is needed! D
upvoted 1 times
...
gargaditya
3 years, 5 months ago
NOTES: 1.Shield Standard enabled by default/no need to enable 2.Shield Standard is L3 L4 only eg.SYN/UDP floods,Reflectionattacks,etc 3.Shield Advanced includes L7 as well 4.Sield Advanced gives DDoS protection NOT shield Shield Standard!!! 5.Shield Advanced includes WAF bundled with it 6.Shield Advanced gives access to dedicated DRT(DDos Response Team) 7.Shield advanced gives protection against high fees during usage spikes due to DDoS Inspector:for ec2 -provides security assessments on EC2(known vulnerabilities) -need to install sw(agent) on EC2 (unless using just the 'network assessment' feature--agentless) Guard Duty:to analyze logs -analyze Cloudtrail ,VPC flow, DNS logs -No need to install any sw since only analysing logs -Can protect against CryptoCurrency attacks Macie:for S3 discover and protect your sensitive data(eg PII) in AWS
upvoted 18 times
gargaditya
3 years, 5 months ago
Choose D over C. Also, not sure if R53 is deployed(DNS handled by 3rd party) Standard need not be enabled ,enabled by default. DDoS offered under Advanced,not Standard.
upvoted 3 times
gargaditya
3 years, 5 months ago
Additional note: WAF:L7 protection -Deploy only on Cloudfront,ALB, API GW -contains Web ACL/rules -can do rate-based rules(to count no fo events)/this also helps in DDoS protection -It protects against common attacks like SQL injection and XSS(Cross Site scripting)--ie L7 based attacks
upvoted 5 times
...
...
...
Akash7
3 years, 5 months ago
D because AWS Shield Advanced is recommended to detect and protect against LARGESCALE DDoS attacks.
upvoted 5 times
...
Cotter
3 years, 5 months ago
Answer : C or D, kindly tell me.
upvoted 1 times
gargaditya
3 years, 5 months ago
D, Route 53 is not being used(managed by 3rd party). So best to apply on the ELB.
upvoted 3 times
gargaditya
3 years, 5 months ago
Also, Standard is enabled by default,no need to enable it. Also, Shield Standard is only for L3/L4 attacks like SYN/UDP,Reflector attacks. DDoS protection is a feature under Shield Advanced.
upvoted 2 times
...
...
Jamshif01
3 years, 5 months ago
it says LARGE scale of DDoS attacks.. thats why D
upvoted 1 times
...
...
theCreatorSD
3 years, 6 months ago
With AWS Shield Standard is automatically enabled for all AWS customers at no additional cost.
upvoted 3 times
...
borisrabin03
3 years, 6 months ago
the answer is D - B will not work as DNS is external
upvoted 2 times
...
zek
3 years, 6 months ago
Answer is D !
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago