The optimal combination is to use AWS WAF to protect Amazon API Gateway and enable AWS Shield Advanced with the NLB. This combination provides layered protection across the web and network layers.

AWS WAF with API Gateway offers fine-grained control to filter malicious HTTP traffic before it even reaches the backend. It is specifically designed to mitigate web-based attacks like SQL injection, cross-site scripting (XSS), and other common OWASP threats. Since API Gateway is the entry point for web traffic in this architecture, applying WAF at this layer is the most logical and effective place for web application protection.

AWS Shield Advanced with NLB enhances DDoS protection for the backend infrastructure. Unlike Shield Standard, Shield Advanced provides additional features such as near real-time attack visibility, 24/7 access to the AWS DDoS Response Team (DRT), and cost protection against scaling due to attacks. This service directly integrates with NLB, which is crucial since NLB operates at Layer 4 and is typically more exposed to volumetric attacks.

Why the other options are not ideal:

Using AWS WAF to protect the NLB is not valid because AWS WAF only integrates with specific servicesAPI Gateway, CloudFront, App Load Balancer (ALB), and AWS Verified Access. It does not support NLB.

Using Amazon GuardDuty with AWS Shield Standard is ineffective for direct protection. GuardDuty is a threat detection service focused on anomaly detection using logs and doesnt offer active mitigation. Shield Standard offers basic DDoS protection but lacks the depth and features of Shield Advanced.

Shield Standard with API Gateway is already included by default, but it lacks dedicated protections, detailed metrics, and proactive support, making it insufficient for high-risk or large-scale platforms expecting potential DDoS events.

Why this question matters: This scenario tests your ability to implement defense-in-depth using AWS-native tools. It differentiates between application-layer and network-layer protections and requires you to understand service compatibility and deployment architecture.

Exam tip: Always consider AWS WAF at the web/API layer (API Gateway or ALB) for protection against common exploits. Use AWS Shield Advanced for serious DDoS protection, especially when specific support or insurance against usage costs is needed. Watch for compatibility: not all services support all protection tools.

Full AWS Practitioner Certification Question