AWS Certified Security – Specialty — Question 205

A company website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple
Availability Zones. There is an Amazon CloudFront distribution in front of the ALB. Users are reporting performance problems. A security engineer discovers that the website is receiving a high rate of unwanted requests to the CloudFront distribution originating from a series of source IP addresses.
How should the security engineer address this problem?

Answer options

• A. Using AWS Shield, configure a deny rule with an IP match condition containing the source IPs of the unwanted requests.
• B. Using Auto Scaling, configure the maximum an instance value to an increased count that will absorb the unwanted requests.
• C. Using an Amazon VPC NACL, configure an inbound deny rule for each source IP CIDR address of the unwanted requests.
• D. Using AWS WAF, configure a web ACL rate-based rule on the CloudFront distribution with a rate limit below that of the unwanted requests.

Correct answer: D

Explanation

The correct answer is D because AWS WAF allows for the implementation of rate-based rules that can effectively limit the number of requests from specific IP addresses, thus mitigating the impact of unwanted traffic. Option A is incorrect as AWS Shield primarily provides DDoS protection and does not directly manage unwanted request rates. Option B does not resolve the underlying issue of unwanted requests and only scales resources without addressing the problem. Option C could help but lacks the granularity and efficiency of using AWS WAF for rate limiting.