How should the Administrator protect the web servers?
Create a security group for the web servers and add deny rules for malicious sources.
Set the network access control list for the web servers’ subnet and add deny entries.
Place web servers behind AWS WAF and establish the rate limit to create a blacklist.
Use Amazon CloudFront to cache all pages and remove the traffic from the web servers.
Explanations:
Security groups are stateful and only support allow rules, not deny rules. They are not effective for blocking traffic from malicious sources if distributed across many IPs.
Network ACLs are stateless and would block traffic at the subnet level. However, blocking by specific IP ranges in high-traffic situations is inefficient for large-scale attacks.
AWS WAF allows rate limiting and can block malicious traffic based on patterns, such as IP rate limits or other attack signatures, effectively mitigating high traffic.
CloudFront can cache content, but it does not specifically block malicious traffic. While it can reduce load on the web servers, it is not a solution for blocking malicious traffic.