Ultimate access to all questions.
Answer-first summary for fast verification
Answer: Create a usage plan with an API key that is shared with genuine users only., Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.
## Explanation **Correct Answers: A and C** **A. Create a usage plan with an API key that is shared with genuine users only.** - API Gateway usage plans allow you to throttle and meter API usage with API keys - By distributing API keys only to legitimate users, you can block unauthorized access - This is a serverless-friendly approach that works well with API Gateway **C. Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.** - AWS WAF (Web Application Firewall) can be integrated with API Gateway to filter malicious traffic - You can create rules to block requests from known botnets, specific IP addresses, or patterns of malicious behavior - This provides a security layer before requests even reach your Lambda functions **Why other options are incorrect:** **B. Integrate logic within the Lambda function to ignore the requests from fraudulent IP addresses.** - While technically possible, this is not the best practice because: - It adds complexity to your business logic - The Lambda function still gets invoked, incurring costs - It's less efficient than blocking requests at the API Gateway/WAF level - Security logic should be implemented at the perimeter, not within application code **D. Convert the existing public API to a private API. Update the DNS records to redirect users to the new API endpoint.** - This would break the application since it's described as "publicly accessible" - Private APIs are only accessible from within your VPC or via VPC endpoints - This would prevent legitimate users from accessing the application **E. Create an IAM role for each user attempting to access the API. A user will assume the role when making the API call.** - This is impractical for a publicly accessible application - IAM roles are designed for AWS services and authenticated AWS users, not anonymous public users - This would require users to have AWS credentials, which is not feasible for a public API ## Best Practices Summary 1. **API Keys with Usage Plans**: Control access and throttle requests 2. **AWS WAF Integration**: Filter malicious traffic at the edge 3. **Consider AWS Shield**: For DDoS protection 4. **Rate Limiting**: Implement throttling in API Gateway 5. **Monitoring**: Use CloudWatch metrics and AWS WAF logs to detect and respond to attacks
Author: LeetQuiz Editorial Team
No comments yet.
A company is running a publicly accessible serverless application that uses Amazon API Gateway and AWS Lambda. The application's traffic recently spiked due to fraudulent requests from botnets.
Which steps should a solutions architect take to block requests from unauthorized users? (Choose two.)
A
Create a usage plan with an API key that is shared with genuine users only.
B
Integrate logic within the Lambda function to ignore the requests from fraudulent IP addresses.
C
Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.
D
Convert the existing public API to a private API. Update the DNS records to redirect users to the new API endpoint.
E
Create an IAM role for each user attempting to access the API. A user will assume the role when making the API call.