AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your organization runs a high-traffic e-commerce platform on Amazon EC2 instances behind Application Load Balancers (ALB) in two AWS Regions. During a recent incident, a large HTTP request flood saturated the ALBs, forced excessive scale-out, and increased latency for legitimate users. The security team now requires a managed, layered defense that (1) blocks malicious layer-7 traffic as close to the users as possible, (2) automatically detects and mitigates future volumetric HTTP floods with minimal operator effort, (3) maintains low-latency delivery for customers worldwide, and (4) provides real-time metrics and notifications whenever mitigations occur.
Which solution will BEST meet these requirements?
Associate an AWS WAF web ACL containing rate-based rules and AWS Managed Rules directly with each ALB, rely on AWS Shield Standard for DDoS protection, and configure CloudWatch alarms on ALB metrics to send Amazon SNS notifications.
Insert AWS Network Firewall endpoints in a dedicated security VPC, route all inbound internet traffic through the firewall, create stateless rule groups to drop excessive HTTP requests, and use CloudWatch metrics from Network Firewall for alerting.
Create an AWS Global Accelerator that points to Network Load Balancer endpoints in each Region, attach an AWS WAF web ACL with managed rule sets to the accelerator, enable AWS Shield Advanced on the accelerator, and configure CloudWatch alarms for notifications.
Put an Amazon CloudFront distribution in front of the ALBs, subscribe the account to AWS Shield Advanced, associate an AWS WAF web ACL (using AWS Managed Rules and rate-based rules) with the CloudFront distribution, enable automatic application-layer DDoS mitigation, and configure CloudWatch alarms on Shield metrics that publish to SNS.
Placing Amazon CloudFront in front of the Regional ALBs and enabling AWS Shield Advanced with an AWS WAF web ACL satisfies every stated requirement. When the web ACL is associated with CloudFront, all requests are inspected at AWS edge locations, so malicious traffic is blocked before it can reach the ALBs or trigger additional scaling. Shield Advanced adds automatic application-layer DDoS detection and mitigation, cost-protection, and CloudWatch metrics such as DDoSDetected, which can be tied to Amazon SNS for real-time alerts. Managed rule groups and rate-based rules inside the web ACL further limit HTTP floods.
Attaching WAF only to the ALBs performs inspection inside each Region; the traffic still reaches the load balancers and can exhaust capacity, and Shield Standard offers no automatic L7 mitigation. AWS Network Firewall is designed for VPC-level packet filtering and does not deliver global edge protection or managed L7 DDoS capabilities. The option that attaches a web ACL to AWS Global Accelerator or Network Load Balancer is not viable, because AWS WAF cannot be associated with those resource types, so it cannot meet the stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Shield Advanced and how does it work?
Open an interactive chat with Bash
Why is CloudFront useful for mitigating HTTP floods in this architecture?
Open an interactive chat with Bash
What are AWS WAF managed rule groups and rate-based rules?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access