Which solution meets these requirements with the LEAST operational overhead?

By:
In: SAA-C03
Tagged:
With: 2 Comments
A financial company hosts a web application on AWS.The application uses an Amazon API Gateway Regional API endpoint to give users the ability to retrieve current stock prices.The company’s security team has noticed an increase in the number of API requests.The security team is concerned that HTTP flood attacks might take the application offline.A solutions architect must design a solution to protect the application from this type of attack.

Which solution meets these requirements with the LEAST operational overhead?

Create an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a maximum TTL of 24 hours.

Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.

Use Amazon CloudWatch metrics to monitor the Count metric and alert the security team when the predefined rate is reached.

Create an Amazon CloudFront distribution with Lambda@Edge in front of the API Gateway Regional API endpoint. Create an AWS Lambda function to block requests from IP addresses that exceed the predefined rate.

Explanations:

While using CloudFront can help with caching and potentially reduce the load on the API, it does not inherently protect against HTTP flood attacks. A maximum TTL of 24 hours means that even if a flood occurs, it would not actively mitigate the incoming requests, which is the primary concern.

Implementing a Regional AWS WAF web ACL with a rate-based rule allows for automatic blocking of IP addresses that exceed a specified request rate. This solution effectively mitigates HTTP flood attacks with minimal operational overhead, as AWS WAF manages the rules and enforcement without requiring manual intervention.

Using CloudWatch metrics to monitor API request counts is a reactive solution that only alerts the security team after the predefined rate is reached. It does not prevent or mitigate the flood attack in real-time, leaving the application vulnerable during the attack.

Although using CloudFront with Lambda@Edge could potentially allow for custom request handling and IP blocking, this solution introduces more complexity and operational overhead. It requires managing a Lambda function and additional code to implement rate limiting, which is not as straightforward as the WAF solution.

2026-03-14

2 Comments

  1. Jeffrey
    Author

    I assess that the answer is:
    Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.

  2. Kathy
    Author

    As far as I can tell, the answer is:
    Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage.

Leave a Reply to Kathy Cancel reply

Your email address will not be published. Required fields are marked *

1 × three =