AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is running a publicly accessible serverless application that uses Amazon API Gateway and AWS Lambda. The application's traffic recently spiked due to fraudulent requests from botnets.

Which steps should a solutions architect take to block requests from unauthorized users? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create a usage plan with an API key that is shared with genuine users only.

Integrate logic within the Lambda function to ignore the requests from fraudulent IP addresses.

Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.

Convert the existing public API to a private API. Update the DNS records to redirect users to the new API endpoint.

Create an IAM role for each user attempting to access the API. A user will assume the role when making the API call.

Explanation:

Explanation

Correct Answers: A and C

A. Create a usage plan with an API key that is shared with genuine users only.

API Gateway usage plans allow you to throttle and meter API usage with API keys
By distributing API keys only to legitimate users, you can block unauthorized access
This is a serverless-friendly approach that works well with API Gateway

C. Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.

AWS WAF (Web Application Firewall) can be integrated with API Gateway to filter malicious traffic
You can create rules to block requests from known botnets, specific IP addresses, or patterns of malicious behavior
This provides a security layer before requests even reach your Lambda functions

Why other options are incorrect:

B. Integrate logic within the Lambda function to ignore the requests from fraudulent IP addresses.

While technically possible, this is not the best practice because:
- It adds complexity to your business logic
- The Lambda function still gets invoked, incurring costs
- It's less efficient than blocking requests at the API Gateway/WAF level
- Security logic should be implemented at the perimeter, not within application code

D. Convert the existing public API to a private API. Update the DNS records to redirect users to the new API endpoint.

This would break the application since it's described as "publicly accessible"
Private APIs are only accessible from within your VPC or via VPC endpoints
This would prevent legitimate users from accessing the application

E. Create an IAM role for each user attempting to access the API. A user will assume the role when making the API call.

This is impractical for a publicly accessible application
IAM roles are designed for AWS services and authenticated AWS users, not anonymous public users
This would require users to have AWS credentials, which is not feasible for a public API

Best Practices Summary

API Keys with Usage Plans: Control access and throttle requests
AWS WAF Integration: Filter malicious traffic at the edge
Consider AWS Shield: For DDoS protection
Rate Limiting: Implement throttling in API Gateway
Monitoring: Use CloudWatch metrics and AWS WAF logs to detect and respond to attacks

Powered ByGPT-5.2

Comments

Loading comments...