Defending Against DDoS Attacks on Your Revenue-Generating Web Application

Answer: C.

Option A is incorrect because the AWS Shield Standard Service will not assist with immediate action against a DDoS attack.

AWS Shield Standard Service is enabled by default, and there is no need to enable it by users.

Option B is incorrect because VPC Flow Logs is a logging service for VPCs traffic flow but cannot specifically protect against DDoS attacks.

Option C is CORRECT because AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks.

AWS Shield Advanced also gives customers highly flexible controls over attack mitigations to take action instantly.

Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application-layer DDoS attacks.

Option D is incorrect because CloudWatch logs is a logging and monitoring service for AWS Services but cannot specifically protect against DDoS attacks.

The AWS Documentation mentions the following.

AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks.

AWS Shield Advanced is available to AWS Business Support and AWS Enterprise Support customers.

For more information on AWS Shield, please visit the below URL:

https://aws.amazon.com/shield/faqs/

The correct answer for this question is: C. Consider using the AWS Shield Advanced Service.

Explanation:

Distributed Denial of Service (DDoS) attacks is a type of attack that is designed to flood a network, system, or application with traffic to disrupt its normal operation. AWS provides several services that can help protect against DDoS attacks.

AWS Shield is a managed DDoS protection service that helps protect AWS resources like Amazon CloudFront, Amazon Route 53, and AWS Global Accelerator from DDoS attacks. It provides two levels of protection: AWS Shield Standard and AWS Shield Advanced.

AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It provides protection against common, most frequently occurring network and transport layer DDoS attacks. AWS Shield Standard is a good starting point for most customers, but it may not be sufficient for high-risk applications.

AWS Shield Advanced provides additional protection against more sophisticated DDoS attacks, 24/7 access to AWS DDoS response team (DRT), and cost protection against usage spikes during a DDoS attack. It also provides access to real-time metrics and reports, and DDoS attack simulations that help you test and validate the effectiveness of your DDoS protection measures.

In this scenario, the company hosts a critical web application on the AWS Cloud that is a key revenue-generating application for the company. The IT Security team is worried about potential DDoS attacks against the website, and senior management has specified that immediate action needs to be taken in case of a potential DDoS attack.

Considering the criticality of the application and the need for immediate action, AWS Shield Advanced is the best option. AWS Shield Advanced provides advanced protection against more sophisticated DDoS attacks and 24/7 access to AWS DDoS response team (DRT) that can provide immediate assistance in case of a potential DDoS attack.

Option A, AWS Shield Standard, is not sufficient for high-risk applications like the one described in the scenario. Option B and D, VPC Flow Logs and CloudWatch Logs, can be used to monitor traffic for DDoS attacks, but they do not provide active DDoS protection or immediate assistance in case of a potential DDoS attack.

Therefore, Option C, AWS Shield Advanced, is the best option for protecting the critical web application against potential DDoS attacks.