A company is building up an online shopping platform. Recently, the application has encountered frequent DDoS attacks such as UDP reflection attacks and SYN floods. The users’ experiences are impacted, and the cost increases sharply when servers scale up. You need to take action to mitigate the attacks. Which of the following actions can reduce the attack surface?

Answer options:

A.Enable AWS Shield for cost protection that allows users to request a refund of scaling related costs that result from a DDoS attack.
B.Configure Amazon CloudFront to distribute traffic to the application. Ensure that only the Amazon CloudFront distribution can forward requests to the origin.
C.Configure AWS Firewall Manager to centrally configure and manage AWS WAF rules across the AWS Organization. Create Firewall Manager policies using the AWS Organization master account.
D.Collect VPC Flow Logs to identify network anomalies and DDoS attack vectors. Set up CloudWatch alarms based on the key operational CloudWatch Metrics such as CPUUtilization.

Correct Answer – B
The AWS best practices for DDoS resiliency can be found in the white paper https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
Option A is incorrect: Cost protection is one feature of AWS Shield Advanced instead of normal AWS Shield. Users can claim a limited refund if servers scale up/down due to DDoS attacks for AWS Shield Advanced. Besides, this option is not an approach to reduce the attack surface.
Option B is CORRECT: This option improves the origin’s security as malicious users cannot bypass the Amazon CloudFront when accessing the web application. The attack surface is reduced.
Option C is incorrect: AWS Firewall Manager is a central management tool. This method does not reduce the attack surface.
Option D is incorrect: The methods in option D help to gain visibility into abnormal behaviors. However, the attack surface is not reduced.