How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company has implemented AWS WAF and Amazon CloudFront for an application.The application runs on Amazon EC2 instances that are part of an AutoScaling group.The Auto Scaling group is behind an Application Load Balancer (ALB).The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated with the CloudFront distribution.CloudFront receives the request from AWSWAF and the uses the ALB as the distribution’s origin.During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.

How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

Configure the CloudFront distribution to use the Lambda@Edge feature. Create an AWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.

Configure the AWS WAF web ACL so that the web ACL has more capacity units to process all AWS WAF rules faster.

Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.

Explanations:

While using Lambda@Edge for rate limiting could help reduce the load on CloudFront by blocking excessive requests, it requires additional management and does not inherently provide the same level of protection as a dedicated rate-based rule in AWS WAF. Furthermore, it might not handle large-scale DDoS attacks as effectively as a WAF rule, as it relies on function invocation which can be limited in capacity during large attack volumes.

Increasing the capacity units for the AWS WAF web ACL could improve performance, but it does not directly mitigate DDoS attacks. The capacity units mainly relate to processing rules and requests efficiently rather than providing specific protections against volumetric attacks. Therefore, this option does not directly address the DDoS vulnerability.

Configuring AWS WAF with a rate-based rule is the most effective way to mitigate layer 7 DDoS attacks. This rule allows the engineer to set a specific threshold for requests from a single IP address, automatically blocking or limiting requests when the threshold is exceeded, which directly defends against excessive traffic targeting the application.

Using AWS WAF as an origin for CloudFront is not a viable option, as AWS WAF is not a data source and cannot serve content. WAF is intended to protect applications by filtering traffic but does not function as an origin server. This option misunderstands the architecture of how AWS services interact with each other.

2025-10-03

1 Comment

  1. Bobby
    Author

    I have a feeling that the answer is:
    Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × five =