AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A startup's web application is rapidly gaining popularity, and the technical leadership is concerned about volumetric distributed denial-of-service (DDoS) attacks that could disrupt uptime and degrade performance. As the Solutions Architect, which AWS service should you employ first to safeguard the application's availability against large network-layer (layer 3/4) floods?
AWS Shield is the purpose-built service for mitigating volumetric DDoS attacks.
AWS Shield Standard provides always-on, automatic protection-at no additional cost-against the most common network- and transport-layer attacks for resources such as Amazon CloudFront, Elastic IP addresses, and Amazon Route 53.
For greater coverage, AWS Shield Advanced adds tailored detection, larger mitigation capacity, cost-protection, and 24/7 access to the AWS Shield Response Team.
AWS WAF can block common web exploits and, as of 2025, offers managed rules that automatically mitigate layer-7 DDoS events, but it does not stop high-volume network-layer floods on its own; it is best used together with Shield. AWS Firewall Manager centrally enforces policies for WAF, Shield Advanced, Network Firewall, etc., yet it is not itself a mitigation engine. Amazon Inspector performs automated vulnerability assessments and provides no real-time DDoS protection. Therefore, AWS Shield is the correct choice to ensure uptime during volumetric attacks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Shield and how does it work?
Open an interactive chat with Bash
What are volumetric attacks, and how do they impact web applications?
Open an interactive chat with Bash
What is the difference between AWS Shield and AWS WAF?