Q29 — AWS SAA-C03 Ch.5
Question 29 of 65 | ← Chapter 5
Q329. A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a way that has a minimal impact on legitimate users.What should a solutions architect recommend?
- A. Deploy Amazon Inspector and associate it with the ALB.
- B. Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule. ✓
- C. Deploy rules to the network ACLs associated with the ALB to block the incoming traffic.
- D. Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.
Correct Answer: B. Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
Explanation
To block illegitimate incoming requests in a way that has minimal impact on legitimate users, the solutions architect should recommend deploying AWS WAF and associating it with the ALB, then configure a rate- limiting rule. AWS WAF is a web application firewall that helps protect web applications from common web exploits such as SQL injection and cross-site scripting (XSS) attacks. It also allows users to create custom rules to block specific IP addresses or ranges, HTTP headers, or query string parameters. Rate limiting rule can help limit the number of requests to the website from individual IPs or IP ranges, reducing the impact of DDoS attacks.Option A is incorrect because Amazon Inspector is not used for blocking traffic, but rather for assessing the security and compliance of the environment.Option C is incorrect because network ACLs do not have the level of granularity needed to selectively block unwanted traffic without affecting legitimate users.Option D is incorrect because Amazon GuardDuty is used for threat detection and not for blocking traffic.Rate limitFor a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100. You can specify a rate limit alone, or a rate limit and conditions. If you specify only a rate limit, AWS WAF places the limit on all IP addresses. If you specify a rate limit and conditions, AWS WAF places the limit on IP addresses that match the conditions.When an IP address reaches the rate limit threshold, AWS WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, AWS WAF resets the counter to zero.