An ecommerce website runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group. The site is experiencing high request rates from illegitimate external systems whose IP addresses change frequently. The security team is concerned about potential DDoS attacks. The company must block these illegitimate requests with minimal impact to legitimate users. What should a solutions architect recommend?
Choose an answer
Tap an option to check your answer.
Correct answer: Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule..
Why this is the answer
AWS WAF (Web Application Firewall) is the correct choice because it directly addresses the problem of illegitimate requests and potential DDoS attacks at the application layer. By associating WAF with the ALB and configuring a rate-limiting rule, you can effectively block requests from IP addresses that exceed a defined threshold, thus mitigating attacks with minimal impact on legitimate users. Amazon Inspector is a security assessment service that identifies vulnerabilities, not a real-time traffic blocking solution. Network ACLs operate at the subnet level and are stateless; while they can block IPs, they are less effective against frequently changing IPs and lack the application-layer intelligence of WAF. Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, but it does not directly block traffic or offer rate-limiting protection for web requests.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed