Answer-first summary for fast verification
Answer: Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.
## Explanation **Correct Answer: B** - Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage. **Why this is the correct answer:** 1. **AWS WAF with rate-based rules** is specifically designed to protect against HTTP flood attacks and DDoS attacks by limiting the number of requests from a single IP address within a specified time period. 2. **Least operational overhead**: AWS WAF rate-based rules are managed services that automatically track and block IP addresses that exceed the rate limit. Once configured, they require minimal ongoing management. 3. **Direct integration with API Gateway**: AWS WAF can be directly associated with API Gateway stages, providing native protection without requiring additional infrastructure. 4. **Automatic blocking**: When an IP exceeds the rate limit, AWS WAF automatically blocks subsequent requests from that IP for a configurable period. **Why other options are incorrect:** **A. CloudFront with maximum TTL**: This only caches responses but doesn't protect against HTTP flood attacks. Attackers can still send requests that bypass cache (non-GET requests or requests with different parameters). **C. CloudWatch monitoring and alerts**: This provides visibility but doesn't actively protect the application. It requires manual intervention by the security team to respond to alerts, which doesn't meet the requirement for protection. **D. CloudFront with Lambda@Edge**: While this could work, it has higher operational overhead because: - Requires developing, testing, and maintaining custom Lambda functions - Lambda@Edge functions run at edge locations, which adds complexity - Requires managing the rate-limiting logic and state management - More expensive and complex than using AWS WAF's built-in rate-based rules **Key AWS Services for DDoS Protection:** - **AWS Shield Standard**: Automatically included with AWS services - **AWS Shield Advanced**: Enhanced DDoS protection with 24/7 support - **AWS WAF**: Web application firewall with rate-based rules - **Amazon CloudFront**: Provides caching and DDoS mitigation at edge locations For protecting API Gateway from HTTP flood attacks, AWS WAF with rate-based rules is the most appropriate and operationally efficient solution.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A financial company hosts a web application on AWS. The application uses an Amazon API Gateway Regional API endpoint to give users the ability to retrieve current stock prices. The company’s security team has noticed an increase in the number of API requests. The security team is concerned that HTTP flood attacks might take the application offline.
A solutions architect must design a solution to protect the application from this type of attack.
Which solution meets these requirements with the LEAST operational overhead?
A
Create an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a maximum TTL of 24 hours.
B
Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.
C
Use Amazon CloudWatch metrics to monitor the Count metric and alert the security team when the predefined rate is reached.
D
Create an Amazon CloudFront distribution with Lambda@Edge in front of the API Gateway Regional API endpoint. Create an AWS Lambda function to block requests from IP addresses that exceed the predefined rate.