AWS Shield

AWS Shield

  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
  • AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
  • AWS Shield now provides two key capabilities: AWS Shield network security director (preview) for proactive network posture analysis and AWS Shield Advanced for managed DDoS protection.
  • AWS Shield detects the following classes of attacks:
    • Network Volumetric Attacks (Layer 3)
      • This is a sub category of infrastructure layer attack vectors.
      • These vectors attempt to saturate the capacity of the targeted network or resource, to deny service to legitimate users.
    • Network Protocol Attacks (Layer 4)
      • This is a sub category of infrastructure layer attack vectors.
      • These vectors abuse a protocol to deny service to the targeted resource.
      • A common example of a network protocol attack is a TCP SYN flood, which can exhaust connection state on resources like servers, load balancers, or firewalls.
      • A network protocol attack can also be volumetric for e.g., a larger TCP SYN flood may intend to saturate the capacity of a network while also exhausting the state of the targeted resource or intermediate resources.
    • Application Layer Attacks (Layer 7)
      • This category of attack vector attempts to deny service to legitimate users by flooding an application with queries that are valid for the target, such as web request floods.

AWS Shield Tiers

AWS Shield Standard

  • provides automatic protections to all customers at no additional charge.
  • defends against the most common, frequently occurring network and transport layer DDoS attacks that target websites or applications.
  • with CloudFront and Route 53, comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks is provided.
  • uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate basic network layer attacks.
  • provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time.
  • sets static thresholds for each AWS resource type but does not provide customized protection for individual applications.

AWS Shield Advanced

  • is a managed service that helps protect the application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts.
  • provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks.
  • protects resources including Amazon CloudFront distributions, Amazon Route 53 hosted zones, AWS Global Accelerator standard accelerators, Elastic IP addresses, Application Load Balancers, and Classic Load Balancers.
  • EC2 instances and Network Load Balancers can be protected by association with protected Elastic IP addresses.
  • allows up to 1,000 resources per resource type per AWS account.
  • provides integration with AWS WAF at no additional charge. Shield Advanced subscribers receive up to 50 billion AWS WAF requests per calendar month for WAF-protected resources.
  • also gives 24×7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in the EC2, ELB, CloudFront, AWS Global Accelerator and Route 53 charges.
  • provides DDoS cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes on protected resources.
  • in addition to the network and transport layer attacks, it also detects application layer (Layer 7) attacks such as HTTP floods or DNS query floods by baselining traffic on the application and identifying anomalies.
  • is available globally on all CloudFront, Global Accelerator, and Route 53 edge locations.
  • includes centralized protection management using Firewall Manager (included at no extra cost with Shield Advanced subscription), that can automatically
    • configure policies covering multiple accounts and resources
    • audit accounts to find new or unprotected resources, and ensure that Shield Advanced and AWS WAF protections are universally applied.
  • provides complete visibility into DDoS attacks with near real-time notification through CloudWatch and detailed diagnostics on the AWS WAF and AWS Shield console or APIs.

Shield Advanced – Customized Detection

  • provides customized detection based on traffic patterns to protected Elastic IP addresses, ELB, CloudFront, Global Accelerator, and Route 53 resources.
  • uses additional monitoring techniques for individual regions and resources to detect smaller DDoS attacks and alert about them.
  • detects application layer DDoS attacks by baselining incoming traffic and identifying anomalies.

Shield Advanced – Health-Based Detection

  • uses health check data from Route 53 to improve responsiveness, detection accuracy, and mitigation speed.
  • associate a Route 53 health check with a Shield Advanced-protected resource through the console or API.
  • enables Shield Advanced to detect attacks faster using lower traffic thresholds, improving application DDoS resilience and preventing false alerts.
  • resource health status is also available to the SRT to help prioritize remediation of unhealthy applications.
  • can be used with all Shield Advanced-supported resource types.

Shield Advanced – Protection Groups

  • allows you to bundle resources into protection groups, treating multiple resources as a single unit for detection and mitigation.
  • grouping resources improves detection accuracy, reduces false positives, simplifies automatic protection of newly created resources, and accelerates mitigation.
  • for example, if an application has four CloudFront distributions, they can be added to one protection group for unified detection and protection.
  • reporting can be collected at the protection group level for a holistic view of overall application health.

Shield Advanced – Proactive Engagement

  • provides proactive engagement from the SRT after DDoS events are detected.
  • when enabled, if a Route 53 health check shows your protected resource as unhealthy during a DDoS attack, the SRT contacts you directly.
  • can be enabled for network and transport layer events on Elastic IP and Global Accelerator resources, and for application layer attacks on CloudFront distributions and Application Load Balancers.

Anti-DDoS Managed Rule Group (AMR) for AWS WAF

  • Launched in June 2025, the Anti-DDoS Managed Rule Group (AWSManagedRulesAntiDDoSRuleSet) is an AWS Managed Rule for AWS WAF that automatically detects and mitigates application layer (L7) DDoS events within seconds.
  • As of March 26, 2026, the Anti-DDoS AMR is the default solution for protection against HTTP request flood attacks, superseding the legacy Layer 7 Auto Mitigation (L7AM) feature.
  • Existing Shield Advanced customers can continue using the legacy L7AM but are encouraged to adopt the Anti-DDoS AMR for faster detection (seconds vs. minutes).
  • The AMR learns traffic patterns and establishes baselines for each protected resource within minutes of activation.
  • Uses machine learning models to identify traffic anomalies and assigns suspicion scores to requests for use in mitigations.
  • Supports resources behind Amazon CloudFront, Application Load Balancer (ALB), and API Gateway.
  • For Shield Advanced customers, the AMR is included in the subscription. It is also available as a pay-as-you-go alternative for non-Shield Advanced customers.
  • Provides configurable sensitivity settings and URI-path-specific protection.
  • When a DDoS event is detected, the AMR adds labels (event-detected, ddos-request) to requests for custom downstream handling.

DDoS Attack Flow Logs (2026)

  • Announced May 2026, AWS Shield Advanced now provides DDoS attack flow logs for forensic analysis and compliance.
  • Captures critical packet-level details during active attacks, including:
    • Source and destination IP addresses
    • Ports and protocols
    • Packet and byte counts
    • Source country information
  • Log data is automatically published to your chosen destination (Amazon S3, CloudWatch Logs, or Amazon Data Firehose) at 5-minute intervals during active attacks.
  • Enables you to pinpoint attack sources, verify mitigations, and feed existing analysis pipelines.
  • Helps organizations reconstruct attack patterns and verify mitigation effectiveness without additional infrastructure.

AWS Shield Network Security Director (Preview)

  • Announced June 2025, AWS Shield network security director is a new capability that provides proactive network security posture analysis.
  • Discovers resources across AWS accounts, identifies connectivity between resources, and determines which network security services and configurations are in place.
  • Key capabilities:
    • Network Topology Visualization – provides a complete view of your AWS environment with resource connectivity, security configurations, and potential security issues. Resources are grouped by tags and connectivity patterns.
    • Prioritized Findings Dashboard – assigns severity levels (NONE, INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL) based on identified network security issues, considering network context, AWS best practices, and threat intelligence.
    • Remediation Recommendations – provides step-by-step instructions to fix identified misconfigurations in services like AWS WAF, VPC security groups, and VPC network ACLs.
    • Amazon Q Integration – analyze network security issues using natural language through Amazon Q Developer.
  • Supports multi-account analysis (added December 2025).
  • Findings are available in AWS Security Hub (added March 2026).
  • Does not require a Shield Advanced subscription.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which AWS service has inbuilt DDoS protection?
    1. AWS Shield
    2. AWS CloudWatch
    3. AWS EC2
    4. AWS Inspector
  2. A media company has monetized their APIs to external third parties. During the last month, the platform has come under DDoS attacks multiple times leading to scaling of underlying instances and cost incurred. Which AWS service would help provide cost protection against such spikes, if such situations do occur in the future?
    1. AWS Systems Manager
    2. AWS WAF
    3. AWS Shield Advanced
    4. AWS Inspector
  3. A company is hosting an important revenue generating application. On the last few occasions, the application has come under large DDoS attacks. As a result of this, a lot of users were complaining about the slowness of the application. You need to now avoid these situations in the future and now require 24×7 support from AWS if such situations do occur in the future. Which of the following service can help in this regard?
    1. AWS Shield Advanced
    2. AWS Inspector
    3. AWS WAF
    4. AWS Systems Manager
  4. A company wants to automatically detect and mitigate Layer 7 DDoS attacks on their web application within seconds without manual rule configuration. Which solution provides the fastest automated response?
    1. AWS WAF rate-based rules
    2. AWS Shield Standard
    3. AWS WAF Anti-DDoS Managed Rule Group (AMR)
    4. AWS Network Firewall
  5. A security team needs packet-level visibility into DDoS attack traffic targeting their Shield Advanced-protected resources for forensic analysis. Which feature should they enable?
    1. VPC Flow Logs
    2. AWS CloudTrail
    3. Shield Advanced DDoS Attack Flow Logs
    4. AWS WAF logging
  6. An organization wants to proactively identify missing or misconfigured network security services across their AWS accounts and receive remediation guidance. Which AWS Shield capability should they use?
    1. Shield Advanced Protection Groups
    2. AWS Firewall Manager
    3. AWS Shield Network Security Director
    4. AWS Security Hub
  7. A company has multiple CloudFront distributions serving their e-commerce application and wants Shield Advanced to treat them as a single unit for DDoS detection and mitigation. What feature should they use?
    1. AWS WAF rule groups
    2. AWS Firewall Manager policies
    3. Shield Advanced Protection Groups
    4. CloudFront origin groups
  8. A company wants the AWS Shield Response Team (SRT) to automatically contact them when a DDoS event is detected and their application becomes unhealthy. What must they configure? (Choose 2)
    1. Enable Proactive Engagement in Shield Advanced
    2. Associate a Route 53 health check with the protected resource
    3. Configure AWS CloudWatch alarms
    4. Subscribe to AWS Business Support only

References

AWS DDoS Resiliency Best Practices Overview

AWS DDoS Resiliency – Best Practices

📋 Whitepaper Update Notice

The original AWS DDoS Best Practices whitepaper (June 2015) has been updated multiple times, with the latest revision dated August 9, 2023. AWS now marks it as “historical reference.” The current AWS DDoS protection guidance is integrated into the AWS WAF, Shield, and Firewall Manager Developer Guide.

This post has been updated to reflect the modern AWS DDoS protection services including AWS Shield, AWS WAF v2, AWS Firewall Manager, and the new Anti-DDoS Managed Rule Group (2026).

  • Denial of Service (DoS) is an attack, carried out by a single attacker, which attempts to make a website or application unavailable to the end users.
  • Distributed Denial of Service (DDoS) is an attack, carried out by multiple attackers either controlled or compromised by a group of collaborators, which generates a flood of requests to the application making it unavailable to the legitimate end users.
  • DDoS attacks can be segregated by which layer of the OSI model they attack:
    • Infrastructure layer attacks (Layer 3 and 4) — SYN/UDP floods, reflection attacks, amplification attacks
    • Application layer attacks (Layer 6 and 7) — HTTP/S floods, DNS query floods, SSL/TLS abuse

AWS DDoS Protection Services

  • AWS Shield Standard — Free, automatic protection for all AWS customers against common infrastructure DDoS attacks (Layer 3/4)
  • AWS Shield Advanced — Paid managed DDoS protection with enhanced detection, always-on automatic mitigation, 24/7 access to Shield Response Team (SRT), cost protection, and application layer protections
  • AWS WAF — Web application firewall for application layer (Layer 7) protection with managed rule groups, rate-based rules, and bot control
  • AWS Firewall Manager — Centralized security policy management across multiple accounts and resources in AWS Organizations
  • AWS Shield Network Security Director (Preview, 2025) — Analyzes network resources, identifies configuration issues, and provides remediation recommendations for comprehensive DDoS posture

Mitigation Techniques

Minimize the Attack Surface Area

  • Reduce the attack surface by minimizing the different Internet entry points that allow access to your application
  • Strategy to minimize the Attack surface area:
    • Reduce the number of necessary Internet entry points
    • Don’t expose back-end servers
    • Eliminate non-critical Internet entry points
    • Separate end user traffic from management traffic
    • Obfuscate necessary Internet entry points to the level that untrusted end users cannot access them
    • Decouple Internet entry points to minimize the effects of attacks
  • Benefits:
    • Minimizes the effective attack vectors and targets
    • Less to monitor and protect
  • Strategy can be achieved using AWS Virtual Private Cloud (VPC):
    • Defines a logically isolated virtual network within AWS
    • Provides ability to create Public & Private Subnets to launch internet-facing and non-public-facing instances accordingly
    • Provides NAT gateway allowing instances in private subnets to have internet access without Public IPs
    • Allows creation of Bastion hosts (or use AWS Systems Manager Session Manager) for connecting to instances in private subnets
    • Provides security groups for instances and NACLs for subnets to control and limit outbound and inbound traffic
    • Supports VPC endpoints (Gateway and Interface) to access AWS services privately without traversing the internet

VPC Architecture

Be Ready to Scale to Absorb the Attack

  • DDoS attacks mainly aim to overload systems beyond their capacity, rendering them unusable
  • Scaling out Benefits:
    • Helps build a resilient architecture
    • Makes the attacker work harder
    • Gives you time to think, analyze, and adapt
  • AWS services for scaling:
    • Auto Scaling & Elastic Load Balancing
      • Horizontal scaling using Auto Scaling with ELB (ALB, NLB, or CLB)
      • Auto Scaling allows instances to be added and removed as demand changes
      • ELB distributes traffic across multiple EC2 instances while acting as a single point of contact
      • Auto Scaling automatically registers and deregisters EC2 instances with the ELB during scale-out and scale-in events
      • Application Load Balancer (ALB) integrates natively with AWS WAF for Layer 7 protection
      • Network Load Balancer (NLB) handles millions of requests per second with ultra-low latency for Layer 4 traffic
    • EC2 Instance
      • Vertical scaling can be achieved by using appropriate EC2 instance types (e.g., EBS-optimized or ones with 25/100 Gbps network connectivity) to handle the load
    • Enhanced Networking
      • Use instances with Enhanced Networking capabilities (ENA) for high packet-per-second performance, low latency networking, and improved scalability
    • Amazon CloudFront
      • CloudFront is a CDN that acts as a proxy between end users and Origin servers, distributing content without sending all traffic to the Origin
      • Has inherent ability to mitigate both infrastructure and application layer DDoS attacks by dispersing traffic across multiple edge locations globally
      • AWS has multiple Internet connections for capacity and redundancy at each location, allowing isolation of attack traffic while serving legitimate end users
      • CloudFront filters to ensure only valid TCP connections and HTTP requests are processed, dropping invalid requests (commonly used in UDP & SYN floods, and slow reads)
      • CloudFront Security Dashboard (2023) provides unified CDN and security experience with one-click AWS WAF protection and built-in security monitoring
      • Integrates natively with AWS WAF and AWS Shield Advanced
    • Amazon Route 53
      • DDoS attacks also target DNS — if DNS is unavailable, the application is effectively unavailable
      • AWS Route 53 is a highly available and scalable DNS service with capabilities to withstand DDoS attacks:
        • Shuffle Sharding — spreads DNS requests over numerous PoPs using independent sets of edge locations, providing multiple paths to your application
        • Anycast Routing — advertises the same IP address from multiple PoPs, increasing redundancy; if one endpoint is overwhelmed, traffic routes to others
    • AWS Global Accelerator
      • Uses static anycast IP addresses as entry points to the AWS global network
      • Integrates with AWS Shield for DDoS mitigation at the edge, including a stateless SYN proxy that challenges new connections and only serves legitimate end users
      • Routes traffic over the AWS backbone network, away from the congested public internet
      • Provides fault isolation and deterministic routing for improved DDoS resiliency

Safeguard Exposed & Hard-to-Scale Resources

  • If entry points cannot be limited, additional measures to restrict access and protect those entry points without interrupting legitimate end user traffic
  • AWS services for protection:
    • CloudFront
      • Restrict access using Geo Restriction and Origin Access Control (OAC)
      • With Geo Restriction, access can be restricted to whitelisted countries or blocked from blacklisted countries
      • Origin Access Control (OAC) replaces the legacy Origin Access Identity (OAI) — allows access to S3 origins only through CloudFront while denying direct access. OAC supports SSE-KMS, dynamic requests, and all S3 regions.
    • Route 53
      • Alias Record sets and Private DNS make it easier to scale infrastructure and respond to DDoS attacks
      • Route 53 health checks enable automatic failover to healthy resources
    • AWS WAF (Web Application Firewall)
      • AWS WAF is a fully managed service (not EC2-based) that filters web traffic using customizable rules
      • Integrates directly with CloudFront, ALB, API Gateway, AppSync, App Runner, Cognito, and Verified Access
      • Key capabilities:
        • Rate-based rules — automatically blocks IPs exceeding request thresholds
        • Managed Rule Groups — pre-built rules for OWASP Top 10, known bad inputs, SQL injection, XSS
        • Bot Control — managed bot detection and mitigation covering 650+ unique bots and AI agents
        • Fraud Control — Account Takeover Prevention (ATP) and Account Creation Fraud Prevention (ACFP)
        • Anti-DDoS Managed Rule Group (AWSManagedRulesAntiDDoSRuleSet) — launched March 2026 as the default L7 DDoS protection; establishes traffic baselines, detects anomalies within seconds, and mitigates HTTP floods automatically
        • AI Bot Management — AI Activity Dashboard (Feb 2026) for visibility into AI scrapers, tools, and agents; supports AI traffic monetization
        • Geo-match conditions, IP set rules, regex pattern sets
        • Custom response bodies and headers
      • No longer requires the “WAF sandwich” pattern — AWS WAF is now a native, managed Layer 7 service that does not require separate EC2 instances
    • AWS Shield Advanced
      • Provides managed DDoS protection for CloudFront, Route 53, Global Accelerator, ELB, and EC2 Elastic IPs
      • Key features:
        • Always-on detection and automatic mitigation with sub-second time-to-mitigate
        • Application layer automatic mitigation — automatically deploys WAF rules during attacks
        • Shield Response Team (SRT) — 24/7 expert support during active DDoS events
        • Cost protection — credits for scaling charges incurred during DDoS attacks
        • DDoS visibility — real-time metrics, attack notifications, and forensic reports
        • Health-based detection — uses Route 53 health checks to improve detection accuracy and reduce false positives
        • Network Security Director (Preview, June 2025) — discovers resources, visualizes network topology, identifies security misconfigurations, and provides remediation recommendations using Amazon Q Developer
    • AWS Firewall Manager
      • Centrally configure and manage AWS WAF rules, Shield Advanced protections, security groups, Network Firewall, and DNS Firewall policies across all accounts in AWS Organizations
      • Automatically applies security policies to new resources as they are created
      • Provides compliance monitoring and reporting

DDOS Resiliency - WAF Sandwich Architecture (Legacy Pattern)

Note: The WAF Sandwich pattern shown above is a legacy architecture. AWS WAF is now a fully managed service that integrates natively with ALB, CloudFront, API Gateway, and other services — no separate EC2-based WAF instances are needed.

Learn Normal Behavior

  • Understand the normal levels and patterns of traffic for your application and use that as a benchmark for identifying abnormal traffic or resource spikes
  • Benefits:
    • Allows one to spot abnormalities
    • Configure alarms with accurate thresholds
    • Assists with generating forensic data
  • AWS services for tracking and detection:
    • Amazon CloudWatch
      • Monitor infrastructure and applications running on AWS
      • Collect metrics, log files, and set alarms for when metrics pass predetermined thresholds
      • Shield Advanced publishes DDoS metrics: DDoSDetected, DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond
    • VPC Flow Logs
      • Capture traffic to instances in a VPC to understand traffic patterns and detect anomalies
      • Can be published to CloudWatch Logs or S3 for analysis
    • AWS WAF Logging & Metrics
      • Full logging of all evaluated requests to S3, CloudWatch Logs, or Kinesis Data Firehose
      • Real-time metrics in CloudWatch for blocked/allowed/counted requests
      • Traffic Overview Dashboard (2025) — near-real-time summaries including total requests, blocked requests, bot categories, CAPTCHA solve rates, and top matched rules
    • AWS CloudTrail
      • Logs API calls for auditing configuration changes to WAF, Shield, and security groups

Create a Plan for Attacks

  • Have a plan in place before an attack, which ensures that:
    • Architecture has been validated and techniques selected work for the infrastructure
    • Costs for increased resiliency have been evaluated and the goals of your defense are understood
    • Contact points have been identified
    • Runbooks exist for DDoS incident response
  • AWS Shield Advanced SRT engagement — proactive or reactive engagement with DDoS experts
  • AWS Support — Business or Enterprise Support plans provide access to 24/7 support during attacks

DDoS-Resilient Reference Architecture

AWS recommends using the following services at the edge for maximum DDoS resiliency:

  • Edge Layer: Amazon CloudFront + AWS WAF + AWS Shield (Standard/Advanced) + Amazon Route 53
  • Network Layer: AWS Global Accelerator + Elastic Load Balancing (ALB/NLB) + VPC with NACLs and Security Groups
  • Application Layer: Auto Scaling groups + EC2 instances in multiple AZs
  • Management Layer: AWS Firewall Manager for centralized policy management across accounts

Key principle: Push traffic as far from the origin as possible using CloudFront, Global Accelerator, and Route 53 to leverage AWS’s globally distributed DDoS mitigation capacity (terabits scale).

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
    1. Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
    2. Use dedicated instances to ensure that each instance has the maximum performance possible.
    3. Use an Amazon CloudFront distribution for both static and dynamic content.
    4. Use an Elastic Load Balancer with auto scaling groups at the web app and Amazon Relational Database Service (RDS) tiers
    5. Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
    6. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
  2. You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack?
    1. Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC. (Not cost effective)
    2. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet. (does not protect against new source)
    3. Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would then pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group (Note: This describes the legacy “WAF sandwich” pattern. In modern AWS, you would simply enable AWS WAF on the existing ALB — no separate EC2 WAF tier is needed.)
    4. Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality. (No advanced protocol filtering in ELB)
  3. A company wants to protect its web application from Layer 7 DDoS attacks and common web exploits. The application uses Amazon CloudFront with an Application Load Balancer origin. Which combination of AWS services provides the MOST effective protection? (Choose 2 answers)
    1. Enable AWS Shield Advanced on the CloudFront distribution and ALB with automatic application layer DDoS mitigation
    2. Deploy AWS Network Firewall in front of the ALB
    3. Associate an AWS WAF web ACL with rate-based rules and the Anti-DDoS Managed Rule Group on the CloudFront distribution
    4. Use Security Groups on the ALB to block malicious IPs
    5. Enable VPC Flow Logs and manually block attacking IPs
  4. A security team needs to protect multiple AWS accounts’ web applications from DDoS attacks with consistent security policies. Which approach provides centralized management with automatic enforcement?
    1. Manually configure AWS WAF rules on each account’s resources
    2. Use AWS Firewall Manager to define WAF and Shield Advanced policies across the AWS Organization
    3. Deploy third-party WAF appliances in each VPC
    4. Use AWS Config rules to audit WAF configurations
  5. Which AWS service provides automatic, always-on protection against common DDoS attacks at no additional cost for ALL AWS customers?
    1. AWS WAF
    2. AWS Shield Standard
    3. AWS Shield Advanced
    4. AWS Firewall Manager
  6. A company is experiencing an active DDoS attack on their application behind CloudFront. They have AWS Shield Advanced enabled. Which features are available to help mitigate the attack? (Choose 3 answers)
    1. 24/7 access to the AWS Shield Response Team (SRT)
    2. Automatic VPC security group rule updates
    3. Automatic application layer mitigation through managed WAF rules
    4. Cost protection credits for scaling charges incurred during the attack
    5. Automatic CloudFront distribution disablement

References