AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A financial company hosts a web application on AWS. The application uses an Amazon API Gateway Regional API endpoint to give users the ability to retrieve current stock prices. The company’s security team has noticed an increase in the number of API requests. The security team is concerned that HTTP flood attacks might take the application offline.

A solutions architect must design a solution to protect the application from this type of attack.

Which solution meets these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a maximum TTL of 24 hours.

Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.

Use Amazon CloudWatch metrics to monitor the Count metric and alert the security team when the predefined rate is reached.

Create an Amazon CloudFront distribution with Lambda@Edge in front of the API Gateway Regional API endpoint. Create an AWS Lambda function to block requests from IP addresses that exceed the predefined rate.

Explanation:

Explanation

Correct Answer: B - Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.

Why this is the correct answer:

AWS WAF with rate-based rules is specifically designed to protect against HTTP flood attacks and DDoS attacks by limiting the number of requests from a single IP address within a specified time period.
Least operational overhead: AWS WAF rate-based rules are managed services that automatically track and block IP addresses that exceed the rate limit. Once configured, they require minimal ongoing management.
Direct integration with API Gateway: AWS WAF can be directly associated with API Gateway stages, providing native protection without requiring additional infrastructure.
Automatic blocking: When an IP exceeds the rate limit, AWS WAF automatically blocks subsequent requests from that IP for a configurable period.

Why other options are incorrect:

A. CloudFront with maximum TTL: This only caches responses but doesn't protect against HTTP flood attacks. Attackers can still send requests that bypass cache (non-GET requests or requests with different parameters).

C. CloudWatch monitoring and alerts: This provides visibility but doesn't actively protect the application. It requires manual intervention by the security team to respond to alerts, which doesn't meet the requirement for protection.

D. CloudFront with Lambda@Edge: While this could work, it has higher operational overhead because:

Requires developing, testing, and maintaining custom Lambda functions
Lambda@Edge functions run at edge locations, which adds complexity
Requires managing the rate-limiting logic and state management
More expensive and complex than using AWS WAF's built-in rate-based rules

Key AWS Services for DDoS Protection:

AWS Shield Standard: Automatically included with AWS services
AWS Shield Advanced: Enhanced DDoS protection with 24/7 support
AWS WAF: Web application firewall with rate-based rules
Amazon CloudFront: Provides caching and DDoS mitigation at edge locations

For protecting API Gateway from HTTP flood attacks, AWS WAF with rate-based rules is the most appropriate and operationally efficient solution.

Powered ByGPT-5.2

Comments

Loading comments...