Protecting an application from layer 7 (application layer) DDoS attacks is best achieved by using AWS WAF (Web Application Firewall), which provides customizable protection against common web exploits including DDoS attacks at the application layer. AWS WAF supports managed rule groups maintained by AWS, which offer robust, tested protections against OWASP top 10 vulnerabilities and common attack patterns without requiring extensive manual rule creation.
While AWS Shield Standard provides basic network-layer DDoS protection automatically at no additional charge, it does not offer application-layer filtering capabilities. Therefore, option A alone is insufficient.
Option B, involving only custom rules, requires significant operational overhead and expertise, whereas AWS managed rules offer a turnkey solution with ongoing updates from AWS security teams.
Option D, using CloudFront in front of the ALB, can provide additional protection benefits such as caching and geographic restrictions, but the question specifically asks for protecting against layer 7 DDoS on the ALB directly. CloudFront plus WAF is a valid enhanced solution, but the direct and recommended answer in AWS official documents is to use AWS WAF managed rules directly with ALB for application-level protection.
[References:, AWS Well-Architected Framework — Security Pillar (https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf), AWS WAF Overview (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html), AWS Shield Overview (https://aws.amazon.com/shield/), Protecting Web Applications with AWS WAF (https://aws.amazon.com/blogs/security/how-to-protect-your-web-application-from-dos-and-ddos-attacks-using-aws-waf/), , , , , , ]
Submit