ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 205 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 205
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An ecommerce website was down for 1 hour following a DDoS attack. Users were unable to connect to the website during the attack period. The ecommerce company's security team is worried about future potential attacks and wants to prepare for such events. The company needs to minimize downtime in its response to similar attacks in the future.
Which steps would help achieve this? (Choose two.)

  • A. Enable Amazon GuardDuty to automatically monitor for malicious activity and block unauthorized access.
  • B. Subscribe to AWS Shield Advanced and reach out to AWS Support in the event of an attack.
  • C. Use VPC Flow Logs to monitor network traffic and an AWS Lambda function to automatically block an attacker's IP using security groups.
  • D. Set up an Amazon CloudWatch Events rule to monitor the AWS CloudTrail events in real time, use AWS Config rules to audit the configuration, and use AWS Systems Manager for remediation.
  • E. Use AWS WAF to create rules to respond to such attacks.
Show Suggested Answer Hide Answer
Suggested Answer: BE 🗳️
by viestner at March 15, 2021, 9:52 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DayQuil
Highly Voted 3 years, 8 months ago
B and E. Using security groups could work but that would get saturated quick as these are DDoS attacks.
upvoted 35 times
ChinkSantana
3 years, 8 months ago
What is GaurdDuty? Managed threat detection service. WAF cant help you against DDOS attacks. Its a A and B
upvoted 5 times
[Removed]
3 years, 8 months ago
if WAS can't help you with DDOS then what can? what about rate limiting rules ?
upvoted 5 times
[Removed]
3 years, 8 months ago
WAF******
upvoted 1 times
wahlbergusa
3 years, 7 months ago
Awful/poor/incapable wording in both the question and answers. First things first AWS Shield Advanced INCLUDES AWS WAF. Memorize this. Mentioned here explicitly : https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html . Having said that, rule of thumb in this forum should be if you claim something then PROVE it with a public AWS documentation URL. AWS WAF is NOT , an I am saying it again NOT for DDOS attacks. It is a Layer 7 firewall. Read docs. It comes down to B and A or C. Now the wording of the question should have been better. Cause C is manual work on the other hand A is more automated/managed work. I' d pick A and B for this question. D is irrelevant cause CloudTrail captures management and data events on AWS services. Not applications. Hence it is ruled out. E is already included in B, but again WAF is irrelevant for DDOS.
upvoted 8 times
DahMac
3 years, 7 months ago
AWS Shield Advanced not only provides layer 3 and layer 4 protection and mitigation, but also includes AWS WAF at no extra charge and DRT assistance for layer 7 attacks. If you use AWS WAF and AWS Shield Standard, you must design your own layer 7 protection and mitigation processes. https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html Even if WAF is included, you may still have DDOS layer 7. The following site seems to say BE In my opinion. Add AWF rules for DDO in 7 and use Adv Shield. https://docs.aws.amazon.com/waf/latest/developerguide/ddos-responding.html
upvoted 5 times
...
Load full discussion...
...
...
...
DerekKey
3 years, 7 months ago
GuardDuty is threat detection - the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network.
upvoted 2 times
...
Daniel76
3 years, 8 months ago
For responding to DDos attack, WAF is mentioned but GuardDuty is not. https://docs.aws.amazon.com/waf/latest/developerguide/ddos-responding.html
upvoted 1 times
...
...
vasmourir
3 years, 6 months ago
SG are useless for (D)DOS as you can't explicitly deny anything with them.
upvoted 4 times
...
...
Raphaello
Most Recent 1 year, 3 months ago
Selected Answer: BE
Definitely the best protection an course of action at the event of DDOS attack is using Shield Advanced (which provides SRT assistance), and using WAF rules to enforce L7 protection. Shield Standard provides L3 and L4 DDoS protection, the benefit of Shield Advance is that it protects against L7 DDoS attacks in addition to L3 & L4, and enforces the use of WAF Web ACL. That does not mean that Shield Advanced is mention so WAF should not, as it is "included". WAF. You can still use your own defined WAF web ACL rules/rule groups. BE are the correct answers.
upvoted 1 times
...
samCarson
1 year, 12 months ago
Selected Answer: BE
B. Subscribing to AWS Shield Advanced provides advanced DDoS protection and immediate support from AWS during an attack, minimizing downtime and ensuring business continuity. E. Using AWS WAF allows the company to create rules to block malicious traffic, mitigating the impact of DDoS attacks and minimizing downtime. A, C, and D. While Amazon GuardDuty, VPC Flow Logs with AWS Lambda, and Amazon CloudWatch Events with AWS Config and Systems Manager are valuable security measures, they primarily focus on monitoring, detecting, and responding to various security threats and vulnerabilities, but may not provide immediate measures to minimize downtime during a DDoS attack.
upvoted 2 times
...
michele_scar
2 years ago
Selected Answer: AB
The E is included in B (Advanced) so it's A and B. Cloudtrail is useless and VPC flowlog are monitored in GuardDuty (A).
upvoted 2 times
...
ITGURU51
2 years, 1 month ago
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime. Furthermore, WAF and Shield are fully integrated to provide a layered security approach. That is why the answer is BE
upvoted 1 times
...
dcasabona
2 years, 10 months ago
Selected Answer: BE
I believe the question is asking to respond quickly, so AWS Adv. Shield and WAF will work is this phase of the attack.
upvoted 2 times
...
Appsec977
3 years ago
B is valid for all we know but E is valid as well because AWS WAF has a ruleset to rate limit (using COUNT) the user request in layer7, which stops DDOS.
upvoted 1 times
...
remyy
3 years ago
Selected Answer: BE
WAF and Shield !!
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: BE
B and E E is surely one thing should do B is better than A. https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
upvoted 1 times
...
w_a_r
3 years, 2 months ago
B, E https://docs.aws.amazon.com/waf/latest/developerguide/ddos-responding.html
upvoted 1 times
...
hi2vaisakh
3 years, 2 months ago
Selected Answer: BE
WAF and Shield Advanced are the right tools
upvoted 1 times
...
Freddie26
3 years, 2 months ago
B and E Amazon GuardDuty is for threat detection. It's not an automatic service, but will generate a finding. It can help with some DDOS attacks. But to respond, a Lambda function would need to be set up. So this isn't as fast as AWS Shield. AWS Shield Advanced is a DDOS mitigation service. And it will respond without user intervention. Furthermore, you can even contact their team for further assistance. VPC flow log monitoring, with a Lambda function would take time to set up. And security groups can't be used to block IP addresses (ACLs can do that, SGs can't). AWS Systems Manager and AWS Config are the wrong tools for a DDoS attack. AWS WAF adds layer 7 support to AWS Shield. It can help you create a baseline for traffic, and then to quickly respond. See https://www.youtube.com/watch?v=HnoZS5jj7pk
upvoted 1 times
...
RaySmith
3 years, 3 months ago
B and E is correct
upvoted 1 times
...
amaltare
3 years, 3 months ago
Selected Answer: BE
Guarduty can only detect, cannot protect against DDOS attacks It should be WAF and Shield Advanced
upvoted 1 times
...
sam_live
3 years, 5 months ago
Whoever's saying answer is A should also explain how GuardDuty blocks traffic.
upvoted 1 times
...
SaucyVip3r
3 years, 5 months ago
Selected Answer: BE
B and E.
upvoted 1 times
...
jj22222
3 years, 5 months ago
A and E looks right - guard duty and waf
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel