Which solution will meet these requirements with the LEAST operational overhead?
Create an Amazon CloudWatch alarm that monitors server access. Set a threshold based on access by IP address. Configure an alarm action that adds the IP address to the web ACL’s deny list.
Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.
Create an Amazon CloudWatch alarm that monitors user IP addresses. Set a threshold based on access by IP address. Configure the alarm to invoke an AWS Lambda function to add a deny rule in the application server’s subnet route table for any IP addresses that activate the alarm.
Inspect access logs to find a pattern of IP addresses that launched the attacks. Use an Amazon Route 53 geolocation routing policy to deny traffic from the countries that host those IP addresses.
Explanations:
While this option suggests monitoring IP addresses and dynamically adding them to a deny list, it requires manual intervention and maintenance of the deny list, leading to higher operational overhead. Additionally, it may not be effective against rapidly changing IP addresses during an attack.
Deploying AWS Shield Advanced provides advanced DDoS protection and automatic mitigation capabilities, reducing operational overhead by handling attacks without manual intervention. It works well with AWS WAF to protect against application layer attacks.
This option involves using CloudWatch alarms to trigger a Lambda function to deny IP addresses, which adds complexity and operational overhead. This method requires continuous monitoring and can be reactive rather than proactive, which may not effectively mitigate sudden attacks.
This approach relies on inspecting access logs for patterns and implementing geolocation routing, which can be cumbersome and not timely. Attackers may use IP addresses from allowed countries, and geolocation filtering does not address the immediate threats effectively.