AWS · DVA-C02

Network Security And Edge Protection — AWS Developer (DVA-C02)

6%of exam questions (12 of 200)

WAF Filters Requests. Shield Absorbs Volume.

'DDoS' and 'volumetric flood' in a scenario point to Shield. 'SQL injection' and 'HTTP flood' point to WAF. WAF sits inline at the CloudFront or ALB layer and evaluates each HTTP request against rule groups before passing it to the origin. Shield operates at the network and transport layers, absorbing volumetric traffic before it reaches your application tier. Security groups control instance-level inbound and outbound traffic by port and source CIDR. The three services protect different layers of the request path and do not substitute for each other. Network ACLs apply stateless rules at the subnet boundary and evaluate both inbound and outbound traffic independently.

What This Pattern Tests

The exam describes a threat and tests which edge protection applies. AWS WAF operates at Layer 7 — it inspects HTTP/HTTPS requests and blocks SQL injection, XSS, and rate-based attacks. Rules attach to CloudFront, ALB, or API Gateway. AWS Shield Standard is free and protects against Layer 3/4 DDoS (SYN floods, UDP reflection). Shield Advanced adds DDoS response team, cost protection, and real-time metrics for $3,000/month. CloudFront Functions handle lightweight request/response manipulation (URL rewrites, header addition) at the edge. Lambda@Edge handles heavier logic (authentication, A/B testing) but with higher latency. The trap is using WAF to stop DDoS (it blocks application-layer attacks, not volumetric floods) or Shield to block SQL injection (it handles network-layer attacks, not application-layer).

Decision Axis

Threat type (application-layer vs. volumetric DDoS vs. edge logic) determines which service: WAF, Shield, CloudFront Functions, or Lambda@Edge.

Associated Traps

Scope Overreach (4)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Operational Complexity Underestimation (4)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

Decision Rules

Whether to terminate TLS at CloudFront (scope overreach — adds an unjustified CDN layer and leaves the CloudFront-to-ALB leg unencrypted) or to attach an ACM certificate directly to the ALB HTTPS listener and configure the target group with the HTTPS protocol, satisfying both the zero-renewal and end-to-end encryption constraints in the minimal correct design.

AWS Certificate ManagerElastic Load BalancingAmazon CloudFront

Whether attaching an ACM certificate to an HTTPS ALB listener is sufficient, or whether the target group backend protocol must independently be set to HTTPS to satisfy the end-to-end encryption requirement.

AWS Certificate ManagerElastic Load Balancing

Whether the ALB-to-EC2 backend encryption leg requires a PKI-managed certificate issued by ACM Private CA, or whether a self-signed certificate on the EC2 HTTPS target satisfies the encryption-in-transit constraint without introducing certificate authority lifecycle overhead.

AWS Certificate ManagerElastic Load Balancing

Domain Coverage

Security

Difficulty Breakdown

Medium: 12

Build recognition speed →

See all DVA-C02 patterns →