CLF-C02 · Question #156
CLF-C02 Question #156: Real Exam Question with Answer & Explanation
The correct answer is D: AWS Shield. AWS Shield is specifically designed to protect against Distributed Denial of Service (DDoS) attacks at the network and transport layers (Layers 3 and 4), making it the right choice for defending web applications from DDoS threats. Shield Standard is automatically included for all
Question
A company is building a web application using AWS. Which AWS service will help prevent network layer DDoS attacks against the web application?
Options
- AAWS WAF
- BAWS Firewall Manager
- CAmazon GuardDuty
- DAWS Shield
Explanation
AWS Shield is specifically designed to protect against Distributed Denial of Service (DDoS) attacks at the network and transport layers (Layers 3 and 4), making it the right choice for defending web applications from DDoS threats. Shield Standard is automatically included for all AWS customers at no cost, while Shield Advanced offers enhanced protection with 24/7 access to the DDoS Response Team.
Why the distractors are wrong:
- AWS WAF (A) operates at Layer 7 (application layer) and filters malicious HTTP/S requests like SQL injection or cross-site scripting - not network-layer DDoS attacks.
- AWS Firewall Manager (B) is a management tool that centrally configures and manages firewall rules (including WAF and Shield) across multiple accounts - it doesn't directly block DDoS attacks itself.
- Amazon GuardDuty (C) is a threat detection service that monitors for suspicious activity and anomalies - it identifies threats but does not actively block or prevent DDoS attacks.
Memory Tip: Think "Shield = Defense from DDoS" - just like a physical shield blocks incoming attacks, AWS Shield blocks incoming DDoS floods. If you see "DDoS protection" in an exam question, immediately think Shield.
Topics
Community Discussion
No community discussion yet for this question.