Which solution meets these requirements with the LEAST operational overhead?
Create an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a maximum TTL of 24 hours.
Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.
Use Amazon CloudWatch metrics to monitor the Count metric and alert the security team when the predefined rate is reached.
Create an Amazon CloudFront distribution with Lambda@Edge in front of the API Gateway Regional API endpoint. Create an AWS Lambda function to block requests from IP addresses that exceed the predefined rate.
Explanations:
While using CloudFront can help with caching and potentially reduce the load on the API, it does not inherently protect against HTTP flood attacks. A maximum TTL of 24 hours means that even if a flood occurs, it would not actively mitigate the incoming requests, which is the primary concern.
Implementing a Regional AWS WAF web ACL with a rate-based rule allows for automatic blocking of IP addresses that exceed a specified request rate. This solution effectively mitigates HTTP flood attacks with minimal operational overhead, as AWS WAF manages the rules and enforcement without requiring manual intervention.
Using CloudWatch metrics to monitor API request counts is a reactive solution that only alerts the security team after the predefined rate is reached. It does not prevent or mitigate the flood attack in real-time, leaving the application vulnerable during the attack.
Although using CloudFront with Lambda@Edge could potentially allow for custom request handling and IP blocking, this solution introduces more complexity and operational overhead. It requires managing a Lambda function and additional code to implement rate limiting, which is not as straightforward as the WAF solution.
I assess that the answer is:
Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.