☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS Firewall Manager/
🔷
AWS Best Practices for DDoS Resiliency
🔷

AWS Best Practices for DDoS Resiliency

Edge Location Mitigation

  • Amazon CloudFront – Distributes content through edge locations, absorbing SYN floods, UDP reflection, and other common volumetric attacks before they reach the origin.
  • AWS Global Accelerator – Provides static IP addresses and global edge entry points, integrating with AWS Shield for DDoS protection; suitable when CloudFront is not applicable.
  • Amazon Route 53 – Offers globally distributed DNS resolution with built-in DDoS protection to maintain low-latency, highly available DNS services.
      • Using these together creates a layered edge defense that filters and absorbs malicious traffic before it enters the AWS network core.

Infrastructure Layer Defense

  • Combine Global Accelerator, Route 53, CloudFront, and Elastic Load Balancing to distribute and absorb traffic before it reaches compute resources.
  • Elastic Load Balancer – Scales automatically with incoming load, distributing requests across multiple targets to avoid single-point overload.
  • EC2 with Auto Scaling – Scales out rapidly in response to traffic surges, handling legitimate spikes and DDoS-driven bursts while maintaining availability.

Application Layer Defense

  • CloudFront – Caches static content at the edge and integrates with WAF to inspect and filter requests.
  • AWS WAF – Blocks malicious requests using signature-based, rate-based, and managed rule groups. Can inspect HTTP headers, body, and query parameters.
  • Shield Advanced – Provides automated application-layer mitigations by dynamically creating WAF rules during attacks.
  • Geo-blocking and IP reputation filtering can be applied at the CloudFront layer to stop traffic before it reaches the application.

Attack Surface Reduction

  • Hide backend resources like EC2 and Lambda behind CloudFront, API Gateway, or ALB.
  • Protect API endpoints using edge-optimized API Gateway for global reach or Regional API Gateway with CloudFront for additional control.
  • Enforce IP-based restrictions with Security Groups and NACLs.
  • Use Elastic IPs with Shield Advanced for automatic protection.
  • Apply rate limiting, request header filtering, and API key enforcement at the WAF or API Gateway level to further reduce exposure.