This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.1 Implement networking features and connectivity
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What is the difference between AWS Shield Standard and AWS Shield Advanced?
2. What types of attacks does AWS Shield Standard protect against?
1. Answer: AWS Shield Standard is automatically enabled free of charge. AWS Shield Advanced is optional and provides additional protections against more sophisticated and larger attacks.
2. Answer: AWS Shield Standard protects against common infrastructure layer attacks like UDP floods and state exhaustion attacks like TCP SYN floods.
AWS Shield is a managed DDoS protection service. It is available in two different offerings: Standard and Advanced.
AWS Shield Standard is automatically enabled at no cost for all AWS customers. It does not protect as many services as AWS Shield Advanced. This basic protection level defends against frequently occurring network and transport layer DDoS attacks. Incoming traffic is inspected for malicious patterns in real time. For example, assume a DDoS attack is originating from many different IP addresses. AWS Shield checks for other anomalies and, if necessary, begins mitigating the traffic. Services that utilize CloudFront and Route 53 receive a higher level of comprehensive protection against all known infrastructure (Layer 3 and 4) attacks.
AWS Shield Advanced is a paid service. It provides mitigations against large and sophisticated DDoS attacks and near real-time visibility into attacks. AWS Shield Advanced also provides integration with AWS Web Application Firewall. AWS Shield Advanced includes 24/7 access to the AWS DDoS Response Team (DRT). This includes live support from a team of AWS DDoS experts. Any scaling-related costs (ELBs, auto scaling groups, and so on) are credited if they are due to a DDoS attack. You can register up to 1000 AWS resources (load balancers, CloudFront distributions, Route 53 hosted zones, and so on) for protection with AWS Shield Advanced. Most attacks (99 percent) on CloudFront or Route 53 are mitigated within 1 second. If you wish to perform a DDoS test, you must request approval from AWS support. AWS Shield Advanced protects resources on EC2, Elastic Load Balancing, CloudFront, AWS Global Accelerator, and Route 53.
AWS Shield Advanced enables protections for Amazon EC2, Elastic Load Balancing, Amazon CloudFront, AWS Global Accelerator, and Route 53 resources.
Answer this question. The answer follows the question. If you cannot answer the question correctly, consider reading this section again until you can.
1. What is a key difference between AWS Shield and the AWS WAF?
A. AWS Shield is included at no additional cost; the AWS WAF charges for each web ACL.
B. The AWS WAF cannot be configured on CloudFront.
C. The AWS WAF cannot be configured on a load balancer.
D. The AWS WAF does not offer managed rules.
1. Answer: A is correct. The AWS WAF can be configured on CloudFront and on the Application Load Balancer. You are charged for each web ACL configured on AWS WAF.
If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all of the Cram Quiz questions on the Pearson Test Prep software online. You can also create a custom exam by objective with the Online Practice Test. Note any objective you struggle with and go to that objective’s material in this chapter.