Skip to main content
  1. Home
  2. >
  3. AWS
  4. >
  5. SAA-C03
  6. >
  7. This article

AWS SAA-C03 Drill: DDoS Protection - The Service Selection and Cost-Tier Trade-off

·961 words·5 mins·
Architecture Drills AWS SAA-C03 FinOps Decision Matrix AWS Shield DDoS Protection ELB Network Security
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AWS SAA-C03, many candidates get confused by DDoS protection services and when to use Shield vs. Shield Advanced. In the real world, this is fundamentally a decision about security assurance vs. cost commitment. Let’s drill into a simulated scenario.

The Scenario
#

TechNova Solutions is launching a customer-facing e-commerce platform on AWS. The architecture consists of:

  • Multiple Amazon EC2 instances deployed across private subnets in a VPC
  • An Application Load Balancer (ALB) distributing traffic to the EC2 fleet
  • A third-party DNS provider currently handling domain resolution
  • Expected traffic: 10,000-50,000 concurrent users during peak seasons

The CTO has mandated that the platform must be resilient against large-scale Distributed Denial of Service (DDoS) attacks to prevent revenue loss during promotional campaigns. The security architect has been tasked with recommending a solution that provides detection and mitigation capabilities for volumetric and application-layer attacks.

Key Requirements
#

Design a solution that detects and defends against large-scale DDoS attacks while minimizing operational complexity for the initial launch phase.

The Options
#

  • A) Enable Amazon GuardDuty on the AWS account.
  • B) Enable Amazon Inspector on the EC2 instances.
  • C) Enable AWS Shield and associate Amazon Route 53 with it.
  • D) Enable AWS Shield Advanced and associate the ELB with it.

Correct Answer
#

Option D.

The Architect’s Analysis
#

Correct Answer
#

Option D: Enable AWS Shield Advanced and associate the ELB with it.

Step-by-Step Winning Logic
#

This solution represents the optimal trade-off for several critical reasons:

1. Service Purpose Alignment

  • AWS Shield Advanced is purpose-built for DDoS protection, offering both network (Layer 3/4) and application layer (Layer 7) defense
  • Provides advanced attack detection with near real-time notification
  • Includes access to AWS DDoS Response Team (DRT) for attack mitigation assistance

2. Protection Point Selection

  • The ELB is the internet-facing entry point where all public traffic converges
  • Protecting the load balancer shields the entire downstream infrastructure (EC2 instances)
  • More cost-efficient than protecting individual EC2 instances

3. Large-Scale Attack Mitigation

  • The requirement specifically mentions “large-scale DDoS attacks”
  • Shield Standard (free tier) provides basic protection but lacks advanced detection and DRT support
  • Shield Advanced offers cost protection (credits for scaling costs during attacks) and enhanced mitigation capabilities

4. Operational Simplicity

  • Single-point protection at the ELB level
  • No configuration required on individual EC2 instances
  • Integrates with AWS WAF for application-layer filtering

The Traps (Distractor Analysis)
#

Why not Option A: Amazon GuardDuty?
#

Service Category Mismatch:

  • GuardDuty is a threat detection service (logs analysis, anomaly detection)
  • It identifies suspicious activities (compromised instances, reconnaissance) but does not mitigate DDoS attacks
  • Think of it as a security camera vs. a firewall—different purposes

Use Case:

  • Correct for: Detecting unauthorized access, crypto-mining, or data exfiltration
  • Incorrect for: Blocking volumetric traffic floods

Why not Option B: Amazon Inspector on EC2?
#

Fundamentally Wrong Tool:

  • Amazon Inspector performs vulnerability assessments and compliance scanning
  • Scans for software vulnerabilities, network exposure, and best practice deviations
  • Operates at the host level (instance configuration), not network traffic level

The Logic Flaw:

  • DDoS attacks target network availability, not software vulnerabilities
  • Inspector cannot intercept or block incoming traffic
  • This is like using a code review tool to stop a flood

Why not Option C: AWS Shield with Route 53?
#

The Multi-Layered Trap:

  1. “Enable AWS Shield” is ambiguous—Shield Standard is already enabled by default (free)
  2. Route 53 is not part of the architecture (scenario explicitly states “third-party DNS service”)
  3. Even if Route 53 were used:
    • Shield Standard alone provides only basic protection
    • For “large-scale attacks,” Shield Advanced is required
    • Route 53 protection helps with DNS query floods but doesn’t protect the application layer

The Exam Trick:

  • This option tests if you’re reading the architecture carefully
  • It also conflates “having Shield” with “having adequate protection for large attacks”

The Architect Blueprint
#

graph TD Internet([Internet - Potential DDoS Source]) -->|Malicious + Legitimate Traffic| Shield[AWS Shield Advanced] Shield -->|Filtered Traffic| ALB[Application Load Balancer] ALB -->|Distributed Load| EC2-1[EC2 Instance - AZ-1a] ALB -->|Distributed Load| EC2-2[EC2 Instance - AZ-1b] ALB -->|Distributed Load| EC2-3[EC2 Instance - AZ-1c] Shield -.->|Attack Detection| DRT[AWS DRT Team - 24/7] Shield -.->|Metrics & Logs| CloudWatch[CloudWatch - Attack Visibility] style Shield fill:#ff6b6b,stroke:#c92a2a,stroke-width:3px style ALB fill:#4dabf7,stroke:#1971c2,stroke-width:2px style DRT fill:#51cf66,stroke:#2f9e44,stroke-width:2px

Diagram Note: Shield Advanced acts as the first line of defense at the ELB, filtering malicious traffic before it reaches application resources while providing visibility and expert support during active attacks.

Real-World Practitioner Insight
#

Exam Rule
#

For the AWS SAA-C03 exam, remember:

  • When you see “large-scale DDoS protection” + internet-facing resource (ELB/CloudFront/Route 53)AWS Shield Advanced
  • GuardDuty = Threat detection (logging), not DDoS mitigation
  • Inspector = Vulnerability scanning, not traffic filtering
  • Always apply Shield Advanced to the public-facing component (ELB, not backend EC2)

Real World
#

In production environments, we typically implement a layered approach:

  1. DNS Layer: Migrate from third-party DNS to Route 53 with Shield Advanced

    • Protects against DNS query floods
    • Enables health checks and failover

  2. CDN Layer: Add CloudFront with Shield Advanced

    • Absorbs attacks at edge locations (global distribution)
    • Reduces origin load significantly

  3. Application Layer: AWS WAF on ALB + Shield Advanced

    • Custom rate limiting rules
    • Geo-blocking for regions with high attack traffic
    • Bot detection and mitigation

  4. Cost Consideration:

    • Shield Advanced costs $3,000/month (plus data transfer fees)
    • For startups or lower-risk applications, we might start with:
      • Shield Standard (free)
      • CloudFront with geo-restrictions
      • WAF rate-based rules ($1/rule + $0.60 per million requests)
    • Graduate to Shield Advanced once revenue justifies the protection cost

  5. Attack Response Plan:

    • Pre-configure DRT access (requires Business or Enterprise Support)
    • Document runbooks for engaging DRT during attacks
    • Set up CloudWatch alarms for anomalous traffic patterns

The Exam vs. Reality Gap:

  • Exam assumes budget is unlimited—always picks “best” technical solution
  • Real architects balance risk tolerance with financial constraints
  • A $50K/year startup won’t spend $36K/year on Shield Advanced—they’ll use WAF + CloudFront as a middle ground

Related Articles

Weekly AWS SAA-C03 Drills: Think Like a CTO

Get 3-5 high-frequency scenarios every week. No brain-dumping, just pure architectural trade-offs.