Q19 — AWS SAP-C02 Ch.3

Question 19 of 75 | ← Chapter 3

Q244. A company has a website that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL. The website often encounters attacks in the application layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks. Which solution will meet these requirements with the LEAST operational overhead?

Correct Answer: B. Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource

Explanation

Option A is incorrect because adding IP addresses to a web ACL's deny list manually will require continuous monitoring of the access logs, which is not a scalable or efficient solution. Option C is incorrect because adding deny rules in the application server's subnet route table for any IP addresses that activate the alarm can be complex and requires extra effort to maintain. It also doesn't address the sudden and significant increases in traffic on the application server caused by the attacks. Option D is incorrect because identifying patterns of IP addresses that launched attacks in the access logs can be time-consuming, and there is no guarantee that all future attacks will originate from the same countries. Also, blocking entire countries may not be desirable or practical for some businesses. Option B is the optimal solution as it involves deploying AWS Shield Advanced in addition to AWS WAF, which provides advanced DDoS protection and mitigation. Adding the ALB as a protected resource ensures that the website is protected against both network-layer and application-layer attacks without requiring additional configurations or management overhead.