AWS Certified Security – Specialty — Question 381

A company's public website consists of an Application Load Balancer (ALB), a set of Amazon EC2 instances that run a stateless application behind the ALB, and an Amazon DynamoDB table from which the application reads data. The company is concerned about malicious scanning and DDoS attacks. The company wants to impose a restriction in which each client IP address can read the data only 3 times in any 5-minute period.

Which solution will meet this requirement with the LEAST effort?

Answer options

• A. Set up AWS WAF in front of the ALB. Create a rule that blocks requests that exceed the limit of 3 requests in any 5-minute period for each IP address.
• B. Create an AWS Lambda function based on an Amazon CloudWatch request. Configure the Lambda function to count the requests for each IP address in rolling 5-sminute intervals and to provide notification if the count exceeds 3.
• C. Modify the EC2 application to count the source IP address of requests and calculate a rolling 5-minute sum. Return an error message if the count sum is greater than 3.
• D. Add source IP address and request time to the DynamoDB table. Add a 5-minute TTL setting based on request time. Change the read capacity of the DynamoDB table throughput to 3.

Correct answer: A

Explanation

AWS WAF natively supports rate-based rules, which can automatically track and block requests from individual IP addresses that exceed a specified limit within a sliding 5-minute window, making it the solution with the least operational effort. Implementing this logic within the EC2 application code or using DynamoDB writes adds unnecessary complexity and overhead to the backend resources. Using CloudWatch and Lambda is overly complex and does not natively block the malicious traffic inline before it reaches the application.