What should a solutions architect do to meet this requirement?
Subscribe to AWS Shield Advanced. Add the accelerator as a resource to protect.
Subscribe to AWS Shield Advanced. Add the EC2 instances as resources to protect.
Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the accelerator.
Create an AWS WAF web ACL that includes a rate-based rule. Associate the web ACL with the EC2 instances.
Explanations:
Subscribing to AWS Shield Advanced provides enhanced DDoS protection, and adding the accelerator as a resource ensures that the DNS service leveraging the Global Accelerator is protected against DDoS attacks, which is the primary concern here.
While AWS Shield Advanced can protect EC2 instances, in this scenario, the solution relies on a Global Accelerator. Protecting the EC2 instances directly does not ensure the same level of DDoS protection for the DNS service that utilizes the accelerator.
Creating an AWS WAF web ACL with a rate-based rule can help mitigate certain types of DDoS attacks; however, associating it with the accelerator instead of a more comprehensive solution like AWS Shield Advanced limits its effectiveness for large-scale DDoS attacks. Additionally, AWS WAF primarily protects web applications, not DNS services directly.
Similar to option C, associating a WAF web ACL with the EC2 instances does not directly protect the DNS service itself, especially since the service architecture is based on the accelerator. WAF is not primarily designed for DDoS protection and is more suitable for web applications.
From my perspective, the answer is:
Subscribe to AWS Shield Advanced. Add the accelerator as a resource to protect.