Which solution meets these requirements with the MOST operational efficiency?
Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses.
Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB.
Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges.
Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB.
Explanations:
AWS Firewall Manager is used for managing security policies across accounts, but it is not designed for blocking dynamic IP addresses that change frequently. Security groups are not ideal for handling frequent IP address changes, especially in the context of a large number of failed login attempts from different addresses.
AWS WAF’s rate-based rule allows you to automatically block IPs that exceed a certain request rate, making it ideal for mitigating brute force or failed login attempts. Connecting this rule to the ALB ensures that the block is applied at the edge before traffic reaches the authentication service.
While AWS Firewall Manager can manage security policies, it is not the best choice for blocking dynamically changing IP addresses each week. Creating security group policies based on CIDR ranges would require constant updates, which reduces operational efficiency.
Using an IP set match rule with a block action would require manually updating the list of IP addresses every week, which is not efficient for this scenario. The IP addresses change frequently, so this method would require significant manual effort to keep up with the changing IPs.
It appears that the answer is:
Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB.