Q58 — AWS SAP-C02 Ch.2
Question 58 of 75 | ← Chapter 2
Q208. An education company Is running a web application used by college students around the world. The application runs in an Amazon Elastic Container Service (Amazon ECS) cluster in an Auto Scaling group behind an Application Load Balancer (ALB). A system administrator detects a weekly spike In the number of failed login attempts which overwhelm the application's authentication service. All the tailed login attempts originate from about 500 different IP addresses that change each week. A solutions architect must prevent the tailed login attempts from overwhelming the authentication service. Which solution meets these requirements with the MOST operational efficiency?
- A. Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses.
- B. Create an AWS WAF web ACL with a rate-based rule and set the rule action to Block Connect the web ACL to the ALB. ✓
- C. Use AWS Firewall Manager To create a security group and security group policy to allow access only to specific CIDR ranges.
- D. Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block Connect the web ACL to the ALB.
Correct Answer: B. Create an AWS WAF web ACL with a rate-based rule and set the rule action to Block Connect the web ACL to the ALB.
Explanation
Option A suggests using AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses, but this would require constantly updating the policy to include the 500 different IP addresses every week, which would not be operationally efficient. Option C suggests using AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges, which could work if the failed login attempts consistently originate from the same IP addresses. However, since the IP addresses change each week, this approach would not be effective. Option D suggests creating an AWS WAF web ACL with an IP set match rule and block the requests from these IPs. This option may work, but it would require constant updates to the IP set match rule to include the 500 different IP addresses every week, which is not operationally efficient. Therefore, option B provides the most efficient solution as it involves creating an AWS WAF web ACL with a rate-based rule that can block the traffic based on the number of requests from client IP addresses exceeding a threshold within a five-minute period. Since the failed login attempts originate from about 500 different IP addresses that change each week, the rate-based rule is an effective way to prevent them from overwhelming the authentication service. Connecting the web ACL to the ALB allows for easy integration into the existing infrastructure without any major changes.