AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a way that has a minimal impact on legitimate users.

What should a solutions architect recommend?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Deploy Amazon Inspector and associate it with the ALB.

Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.

Deploy rules to the network ACLs associated with the ALB to block the incoming traffic.

Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.

Explanation:

Explanation

Correct Answer: B - Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.

Why this is correct:

AWS WAF (Web Application Firewall) is specifically designed to protect web applications from common web exploits and bots.
Rate-limiting rules in AWS WAF can help mitigate DDoS attacks by limiting the number of requests from a single IP address within a specified time period.
Association with ALB allows AWS WAF to inspect HTTP/HTTPS traffic at the application layer (Layer 7).
Minimal impact on legitimate users - Rate-limiting rules can be configured with appropriate thresholds to allow legitimate traffic while blocking malicious traffic.
Changing IP addresses - AWS WAF can handle attacks from multiple IP addresses through rate-based rules that don't rely solely on static IP blocking.

Why other options are incorrect:

A. Amazon Inspector - This is an automated security assessment service that helps improve security and compliance of applications deployed on AWS. It's not designed for real-time DDoS protection or rate-limiting.

C. Network ACLs - Network ACLs operate at the subnet level (Layer 3/4) and use static IP-based rules. They cannot effectively handle attacks from changing IP addresses and cannot perform rate-limiting at the application layer.

D. Amazon GuardDuty - This is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. While it can detect DDoS attacks, it doesn't provide real-time mitigation or rate-limiting capabilities.

Key AWS Services for DDoS Protection:

AWS Shield - Managed DDoS protection service
AWS WAF - Web application firewall with rate-limiting capabilities
Amazon CloudFront - CDN with DDoS mitigation features
Route 53 - DNS service with DDoS protection

For this specific scenario with changing IP addresses and application-layer attacks, AWS WAF with rate-limiting rules is the most appropriate solution.

Powered ByGPT-5.2

Comments

Loading comments...