Which solution meets these requirements with the MOST operational efficiency?
Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses
Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB
Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges
Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB
Explanations:
AWS Firewall Manager is used for managing security policies across multiple accounts and resources, but creating a security group to deny access from dynamic IP addresses is not operationally efficient, as it would require constant updates to the security group for each new IP address change.
Using AWS WAF with a rate-based rule to block excessive requests from specific IP addresses is an effective solution to mitigate login attempts. This method automatically adapts to the changing IP addresses and efficiently protects the authentication service from being overwhelmed by failed login attempts.
Similar to Option A, using a security group to allow access only from specific CIDR ranges would not effectively address the problem of changing IP addresses. It would require manual updates to the security group, making it operationally inefficient.
While using an AWS WAF web ACL with an IP set match rule can block specific IP addresses, the dynamic nature of the IP addresses (changing weekly) would require regular updates to the IP set, making it less efficient compared to using a rate-based rule.