AWS Certified Solutions Architect – Associate (SAA-C02) — Question 184

A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a way that has a minimal impact on legitimate users.
What should a solutions architect recommend?

Answer options

• A. Deploy Amazon Inspector and associate it with the ALB.
• B. Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
• C. Deploy rules to the network ACLs associated with the ALB to block the incoming traffic.
• D. Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.

Correct answer: B

Explanation

The correct choice is B because AWS WAF allows for specific rules to be created to filter traffic based on conditions like rate limits, effectively mitigating DDoS attacks while allowing legitimate traffic through. Option A does not provide direct protection against DDoS; Option C is less effective as network ACLs work at a less granular level and can impact legitimate traffic; Option D does not directly address the need for rate limiting.