This questions appears on the practice test, but I think a different choice is correct.
==============
Across your industry, there has been a rise in activist hackers launching attacks on companies like yours. You want to be prepared in case some group turns its attention toward you. The most common attack, based on forensic work security researchers have done after other attacks, seems to be the TCP Syn Flood attack. To better protect yourself from that style of attack, what is the least cost measure you can take?
-> (1) Re-architect your landscape to use an application load balancer in front of any public facing services.
(2) Implement AWS Shield Advanced and configure it to generate CloudWatch alarms when malicious activity is detected.
xx (3) This type of attack is automatically addressed by AWS. You do not need to take additional action.
(4) Implement AWS WAF and configure filters to block cross-site scripting match conditions.
(5) Subscribe to a Business or Enterprise Support Plan. Engage AWS DDoS Response Team and arrange for a custom mitigation.
Explanation:
AWS Shield Standard is offered to all AWS customers automatically at no charge. You can subscribe to AWS Shield Advanced for more features and detailed reporting.
==============
==============
Based on the two resources below, I think (1) is the correct answer, not (3), because a load balancer would prevent SYN floods from reaching EC2 instances. Perhaps someone can update the practice test and include the below resource links as the explanation?
==============
https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/
"Elastic Load Balancing
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, which minimizes the risk of overloading a single resource. Elastic Load Balancing, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances. It also offers a single point of management and can serve as a line of defense between the internet and your backend, private EC2 instances. Elastic Load Balancing includes the Application Load Balancer, which is best suited for load balancing of HTTP and HTTPS traffic and also directly supports AWS WAF."
https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
Page 8, Table 2: Summary of Best Practices
==============
2 Answers
Hmm this is a bit of a tough one – on one hand, you are correct – if we look at the best practices for DDOS mitigation, putting an ELB in the data path is the right thing to do.
However this question adds two modifiers to take into consideration – the fact that you only want to protect against TCP Syn Flood, and the fact that we are looking for the lowest cost option to protect against those TCP Syn Flood attacks. Taking those into consideration option 3 is the correct choice, as by default, AWS provides free protection from TCP Syn Flood attacks on any incoming traffic.
If we were looking to protect against other types of attacks, or if we were looking for the "best" or "most secure" solution, option 1 would be the correct choice.
At its core, this question is making sure you understand that AWS does provide some level of protection of your services for "free". This is found in the FAQs section for AWS Shield:
https://aws.amazon.com/shield/faqs/
What we might do is include a bit more of a detailed explanation:
"AWS Shield Standard is offered to all AWS customers automatically at no charge and will protect against TCP Syn Flood attacks without you having to do anything – this meet’s the question’s requirements of protecting TCP Syn Flood attacks at the lowest cost possible. A more robust solution which is better aligned to best practice would involve a load balancer in the data path, however as this would provide more functionality than required at a higher cost, is not the correct option for this question."
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html#ddos-help-me-choose
This lists SYN flood mitigation as a feature of AWS Shield Standard. It also recommends CloudFront and Route 53 to get an extra benefit from this type of attack.