SCS-C02 Question #178: Real Exam Question with Answer & Explanation

Question

A company is undergoing a layer 3 and layer 4 DDoS attack on its web servers running on AWS. Which combination of AWS services and features will provide protection in this scenario? (Choose three.)

Options

• AAmazon Route 53
• BAWS Certificate Manager (ACM)
• CAmazon S3
• DAWS Shield
• ENetwork Load Balancer
• FAmazon GuardDuty

Explanation

AWS Shield (D) is the direct answer - it's purpose-built to detect and mitigate layer 3/4 DDoS attacks (SYN floods, UDP reflection, etc.) at both Standard and Advanced tiers. Amazon Route 53 (A) is automatically protected by Shield Standard and provides DNS-level resilience, allowing traffic to be rerouted away from overwhelmed endpoints during an attack. Network Load Balancer (E) operates at layer 4 (TCP/UDP), integrates natively with Shield, and can absorb and distribute volumetric attack traffic across multiple targets, preventing any single server from being overwhelmed.

The distractors fail because: ACM (B) only manages TLS/SSL certificates - it has no traffic-handling or mitigation role. S3 (C) is object storage and not relevant to protecting web server infrastructure from network-layer attacks. GuardDuty (F) is a detective control that identifies threats and generates alerts - it does not actively block or mitigate DDoS traffic.

Memory tip: Think of the three correct answers as forming a "DDoS defense stack from top to bottom" - Route 53 absorbs at DNS, NLB absorbs at the transport layer, and Shield is the engine powering protection at both. If a service's primary job is detection (GuardDuty) or encryption (ACM), it won't stop packets from hitting your servers.

No community discussion yet for this question.