Ultimate access to all questions.
Answer-first summary for fast verification
Answer: Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
## Explanation **Correct Answer: B** - Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule. **Why this is correct:** 1. **AWS WAF (Web Application Firewall)** is specifically designed to protect web applications from common web exploits and bots. 2. **Rate-limiting rules** in AWS WAF can help mitigate DDoS attacks by limiting the number of requests from a single IP address within a specified time period. 3. **Association with ALB** allows AWS WAF to inspect HTTP/HTTPS traffic at the application layer (Layer 7). 4. **Minimal impact on legitimate users** - Rate-limiting rules can be configured with appropriate thresholds to allow legitimate traffic while blocking malicious traffic. 5. **Changing IP addresses** - AWS WAF can handle attacks from multiple IP addresses through rate-based rules that don't rely solely on static IP blocking. **Why other options are incorrect:** **A. Amazon Inspector** - This is an automated security assessment service that helps improve security and compliance of applications deployed on AWS. It's not designed for real-time DDoS protection or rate-limiting. **C. Network ACLs** - Network ACLs operate at the subnet level (Layer 3/4) and use static IP-based rules. They cannot effectively handle attacks from changing IP addresses and cannot perform rate-limiting at the application layer. **D. Amazon GuardDuty** - This is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. While it can detect DDoS attacks, it doesn't provide real-time mitigation or rate-limiting capabilities. **Key AWS Services for DDoS Protection:** - **AWS Shield** - Managed DDoS protection service - **AWS WAF** - Web application firewall with rate-limiting capabilities - **Amazon CloudFront** - CDN with DDoS mitigation features - **Route 53** - DNS service with DDoS protection For this specific scenario with changing IP addresses and application-layer attacks, AWS WAF with rate-limiting rules is the most appropriate solution.
Author: LeetQuiz Editorial Team
A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a way that has a minimal impact on legitimate users.
What should a solutions architect recommend?
A
Deploy Amazon Inspector and associate it with the ALB.
B
Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
C
Deploy rules to the network ACLs associated with the ALB to block the incoming traffic.
D
Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.
No comments yet.