Your company has a high visibility website, and it is prone to frequent DDoS attacks. The application is hosted in an AWS Auto Scaling group with an application load balancer and a CloudFront distribution that distributes the traffic. A Service is required to protect the application against layer 7 DDoS attacks, and you also need cost protection for the scaling charges as a result of a DDoS attack. Which of the following options can achieve the requirements?

Answer options:

A.Configure AWS WAF ACLs with specific DDoS rules to protect the CloudFront distribution against layer 7 DDoS attacks.
B.Enable AWS Shield for the automatic layer 7 DDoS protection for resources such as CloudFront distributions and application load balancers.
C.Enable AWS Shield Advanced and add the CloudFront distribution as a protected resource. Configure CloudWatch alarms to monitor the potential DDoS activity. Configure a WAF ACL to protect the application.
D.Configure DDoS protection standards in AWS Security Hub which uses AWS WAF rules to protect the application from layer 7 DDoS attacks.

Correct Answer – C
AWS WAF, AWS Firewall Manager, and AWS Shield work together to create a comprehensive security solution. To determine which service to choose, please check https://docs.aws.amazon.com/waf/latest/developerguide/waf-which-to-choose.html.
Option A is incorrect: As cost protection is required, AWS Shield Advanced should be selected. With AWS Shield Advanced, customers can request credits if resources scale up because of a DDoS attack.
Option B is incorrect: Because AWS Shield Standard does not support cost protection. Differences between AWS Shield Standard and AWS Shield Advanced can be found in https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html.
Option C is CORRECT: As a high level of protection, AWS Shield Advanced adds extra features such as DDoS Response Team Support, cost protection and attack forensics reports. The WAF ACL is also able to protect the application from DDoS attacks.
Option D is incorrect: Because AWS Security Hub is a service that provides a consolidated view of the security and compliance status in AWS. It is not a service for DDoS protection.