AWS Certified Solutions Architect – Associate (SAA-C02) — Question 464

A company is running a publicly accessible serverless application that uses Amazon API Gateway and AWS Lambda. The application's traffic recently spiked due to fraudulent requests from botnets.
Which steps should a solutions architect take to block requests from unauthorized users? (Choose two.)

Answer options

• A. Create a usage plan with an API key that is shared with genuine users only.
• B. Integrate logic within the Lambda function to ignore the requests from fraudulent IP addresses.
• C. Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.
• D. Convert the existing public API to a private API. Update the DNS records to redirect users to the new API endpoint.
• E. Create an IAM role for each user attempting to access the API. A user will assume the role when making the API call.

Correct answer: A, C

Explanation

Implementing AWS WAF with Amazon API Gateway allows the solutions architect to inspect incoming traffic and block malicious botnet requests at the edge before they reach the backend. Additionally, requiring API keys associated with a usage plan ensures that only authorized clients with valid keys can successfully call the API, filtering out unauthorized bot traffic. Other options, like embedding IP-blocking logic in Lambda, still incur execution costs, while converting to a private API or managing individual IAM roles for all public users is operationally impractical.