AWS Certified SysOps Administrator – Associate (legacy) — Question 507

A SysOps Administrator observes a large number of rogue HTTP requests on an Application Load Balancer (ALB). The requests originate from various IP addresses.
Which action should be taken to block this traffic?

Answer options

• A. Use Amazon CloudFront to cache the traffic and block access to the web servers
• B. Use Amazon GuardDuty to protect the web servers from bots and scrapers
• C. Use AWS Lambda to analyze the web server logs, detect bot traffic, and block the IP address in the security groups
• D. Use AWS WAF rate-based blacklisting to block this traffic when it exceeds a defined threshold

Correct answer: D

Explanation

AWS WAF rate-based rules are designed to automatically mitigate HTTP flood attacks by temporarily blocking IP addresses when they exceed a defined request limit. Amazon GuardDuty is a security monitoring and detection service rather than a real-time mitigation tool, and security groups have strict limits on rule capacity, making IP-by-IP blocking via AWS Lambda ineffective for distributed traffic. While Amazon CloudFront can cache content, it does not natively block malicious request spikes without AWS WAF integration.