How should the security engineer address this problem?
Using AWS Shield, configure a deny rule with an IP match condition containing the source IPs of the unwanted requests.
Using Auto Scaling, configure the maximum an instance value to an increased count that will absorb the unwanted requests.
Using an Amazon VPC NACL, configure an inbound deny rule for each source IP CIDR address of the unwanted requests.
Using AWS WAF, configure a web ACL rate-based rule on the CloudFront distribution with a rate limit below that of the unwanted requests.
Explanations:
AWS Shield is primarily used for DDoS protection and does not allow for the configuration of specific deny rules based on IP addresses at the application layer. It is more focused on protecting against volumetric attacks rather than filtering specific unwanted traffic.
While increasing the number of instances in an Auto Scaling group may help absorb some unwanted requests, it does not address the root cause of the problem. It would also lead to increased costs and potentially worsen performance under load rather than mitigating the unwanted traffic directly.
Configuring an inbound deny rule in a VPC Network ACL (NACL) would block the unwanted IPs only at the network level, which does not apply to traffic passing through CloudFront. CloudFront’s edge locations are outside of the VPC, so this method would not be effective for filtering unwanted requests to the distribution.
Using AWS WAF to create a rate-based rule on the CloudFront distribution is an effective method to limit the number of requests from specific IP addresses. By setting a rate limit below the volume of unwanted requests, the WAF can effectively block or limit these requests, enhancing the performance of the application by reducing unwanted traffic.
I rate that the answer is:
Using AWS WAF, configure a web ACL rate-based rule on the CloudFront distribution with a rate limit below that of the unwanted requests.