Which approach should the company take to secure its API?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is creating a REST API to share information with six of its partners based in the United States.The company has created an Amazon API Gateway Regional endpoint.Each of the six partners will access the API once per day to post daily sales figures.After initial deployment, the company observes 1,000 requests per second originating from 500 different IP addresses around the world.The company believes this traffic is originating from a botnet and wants to secure its API while minimizing cost.

Which approach should the company take to secure its API?

Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Configure CloudFront with an origin access identity (OAI) and associate it with the distribution. Configure API Gateway to ensure only the OAI can run the POST method.

Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Add a custom header to the CloudFront distribution populated with an API key. Configure the API to require an API key on the POST method.

Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a resource policy with a request limit and associate it with the API. Configure the API to require an API key on the POST method.

Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.

Explanations:

This option suggests using a CloudFront distribution and an origin access identity (OAI), but this is not necessary for securing API access in this scenario. The OAI is used for securing CloudFront content, not API Gateway. Additionally, blocking traffic based on request count is not the most efficient method to prevent botnet activity.

This option involves using CloudFront with an API key, but API Gateway itself is sufficient for API access control. CloudFront and API keys are more suited for access management at scale and are unnecessary in this case. The main problem is blocking bot traffic based on IP addresses, not API key management.

While restricting access to specific IP addresses using AWS WAF is a good security measure, the request limit on the API and requiring an API key are redundant. This approach doesn’t fully protect against the botnet issue. A usage plan should be used instead of a resource policy for better request throttling and management.

This is the most appropriate solution. Using AWS WAF to restrict access based on the IP addresses of trusted partners ensures only they can access the API. Additionally, using a usage plan with a request limit and API keys helps to throttle traffic and limit abuse from botnets while maintaining access control for authorized partners.

2025-10-05

1 Comment

  1. Margaret
    Author

    I judge that the answer is:
    Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.

Leave a Reply to Margaret Cancel reply

Your email address will not be published. Required fields are marked *

four × five =