AWS Certified Security – Specialty — Question 302

A company is observing frequent bursts of unusual traffic to its corporate website. The IP address ranges that inflate the requests keep changing, and the volumes of traffic are increasing.

A security engineer needs to implement a solution to protect the website from a potential DDoS attack. The solution must rack the rate of requests from IP addresses. When the requests from a particular IP address exceed a specific rate, the solution must limit the amount of traffic that can reach the website from that IP address.

Which solution will meet these requirements?

Answer options

• A. Setup Amazon Inspector on the backend servers. Create assessment targets with a rate-based configuration to block any offending IP address.
• B. Create a rate-based rule in AWS WAF to block an IP address when that IP address exceeds the configured threshold rate.
• C. Identity the offending client IP address ranges. Create a regular rule in AWS WAF to block the offending IP address ranges.
• D. Create a rate-based rule in Amazon GuardDuty to block an IP address when that IP address exceeds the configured threshold rate

Correct answer: B

Explanation

AWS WAF rate-based rules automatically track the rate of requests from each originating IP address and temporarily block them when they exceed a specified threshold, making it the ideal solution for mitigating dynamic DDoS traffic. Amazon Inspector is a vulnerability scanner, and Amazon GuardDuty is a threat detection service, meaning neither can directly block or rate-limit web traffic. Static regular rules in AWS WAF are ineffective here because the offending IP addresses are constantly changing, making manual blocking unfeasible.