AWS Certified Solutions Architect – Associate (SAA-C03) — Question 430

A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a way that has a minimal impact on legitimate users.

What should a solutions architect recommend?

Answer options

• A. Deploy Amazon Inspector and associate it with the ALB.
• B. Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
• C. Deploy rules to the network ACLs associated with the ALB to block the incomingtraffic.
• D. Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.

Correct answer: B

Explanation

AWS WAF can be associated with an ALB to filter web traffic at Layer 7, and its rate-limiting rules are ideal for automatically blocking clients that exceed request thresholds, even when their IP addresses change. Network ACLs operate at Layer 4 and block traffic based on static IP addresses, which is ineffective against dynamic IPs and can inadvertently block legitimate users. Amazon Inspector is a vulnerability scanner and Amazon GuardDuty is an intrusion detection service, neither of which provides inline, real-time rate-limiting protection for web traffic.