Question #777
An online learning platform uses Amazon API Gateway for its REST API, which is integrated with AWS Lambda. The API experiences weekly surges in excessive requests from around 800 different IP addresses that rotate each week, causing increased latency and timeouts. A solutions architect needs to mitigate this issue with the MOST operational efficiency. Which solution meets these requirements?
Use AWS Firewall Manager to create a security group policy to deny access from the IP addresses.
Create an AWS WAF web ACL with a rate-based rule, set the rule action to Block, and associate the web ACL with the API Gateway.
Use AWS Firewall Manager to create a security group policy to allow access only to specific CIDR ranges.
Create an AWS WAF web ACL with an IP set match rule, set the rule action to Block, and associate the web ACL with the API Gateway.
Explanation
Answer B is correct because AWS WAF's rate-based rule dynamically blocks IP addresses that exceed a specified request rate (e.g., 1,000 requests per 5 minutes). This is ideal for rotating IPs causing surges, as it requires no manual updates to IP lists. Option A and C are incorrect because security groups (managed via Firewall Manager) apply to EC2/VPC resources, not API Gateway. Option D uses static IP sets, which are ineffective against rotating IPs. Rate-based rules provide operational efficiency by automatically mitigating excessive requests without manual intervention.
Answer
The correct answer is: B