AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A startup's web application is rapidly gaining popularity, and the technical leadership is concerned about volumetric distributed denial-of-service (DDoS) attacks that could disrupt uptime and degrade performance. As the Solutions Architect, which AWS service should you employ first to safeguard the application's availability against large network-layer (layer 3/4) floods?
AWS Shield is the purpose-built service for mitigating volumetric DDoS attacks.
AWS Shield Standard provides always-on, automatic protection-at no additional cost-against the most common network- and transport-layer attacks for resources such as Amazon CloudFront, Elastic IP addresses, and Amazon Route 53.
For greater coverage, AWS Shield Advanced adds tailored detection, larger mitigation capacity, cost-protection, and 24/7 access to the AWS Shield Response Team.
AWS WAF can block common web exploits and, as of 2025, offers managed rules that automatically mitigate layer-7 DDoS events, but it does not stop high-volume network-layer floods on its own; it is best used together with Shield. AWS Firewall Manager centrally enforces policies for WAF, Shield Advanced, Network Firewall, etc., yet it is not itself a mitigation engine. Amazon Inspector performs automated vulnerability assessments and provides no real-time DDoS protection. Therefore, AWS Shield is the correct choice to ensure uptime during volumetric attacks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between AWS Shield Standard and AWS Shield Advanced?
Open an interactive chat with Bash
How does AWS Shield mitigate network-layer DDoS attacks?
Open an interactive chat with Bash
Can AWS Shield be combined with other AWS services for better DDoS protection?