What are some ways the Engineer could achieve this?
(Choose three.)
Use AWS X-Ray to inspect the traffic going to the EC2 instances.
Move the static content to Amazon S3, and front this with an Amazon CloudFront distribution.
Change the security group configuration to block the source of the attack traffic.
Use AWS WAF security rules to inspect the inbound traffic.
Use Amazon Inspector assessment templates to inspect the inbound traffic.
Use Amazon Route 53 to distribute traffic.
Explanations:
AWS X-Ray is primarily used for analyzing and debugging applications, providing insights into requests made to applications. It does not directly inspect or mitigate DDoS attacks, which makes it unsuitable for edge security.
Moving static content to Amazon S3 and using Amazon CloudFront as a CDN helps reduce the load on EC2 instances and enhances security by leveraging CloudFront’s built-in DDoS protection and caching capabilities. This approach provides better performance and resilience against DDoS attacks.
Changing security group configurations may help limit access to specific IP ranges but is not an effective DDoS mitigation strategy. DDoS attacks often involve a large number of IPs, making it impractical to block them all through security groups alone.
AWS WAF (Web Application Firewall) can be configured to create security rules that inspect incoming traffic, allowing for filtering of malicious requests and mitigating the impact of DDoS attacks, thereby enhancing edge security.
Amazon Inspector is a security assessment service that helps identify vulnerabilities in applications, but it does not analyze or mitigate inbound traffic, making it ineffective for protecting against DDoS attacks.
Amazon Route 53 can help distribute traffic across multiple resources, providing load balancing and helping to absorb DDoS attack traffic. It can also implement health checks to reroute traffic away from compromised resources, thereby enhancing overall availability and resilience.