Logo
AWS Certified Solutions Architect - Professional / Question #780 of 529

Question #780

A company provides a REST API for six US-based partners to retrieve inventory data once daily using an Amazon API Gateway Regional endpoint. After deployment, the company observes 2,000 requests per second originating from 800 different IP addresses globally, suspected to be a botnet. The company needs to secure the API while minimizing costs.

Which approach should the company take to secure its API?

A

Create an Amazon CloudFront distribution with the API as the origin. Configure AWS WAF with a rule to block clients exceeding two requests per day. Associate the WAF web ACL with CloudFront. Use an origin access identity (OAI) to restrict API access to CloudFront. Require an API key for the GET method in API Gateway.
B

Create an Amazon CloudFront distribution with the API as the origin. Configure AWS WAF with a rule to allow only the partners' IP addresses. Associate the WAF web ACL with CloudFront. Add a custom header with an API key to the distribution. Require the API key for the GET method in API Gateway.
C

Create an AWS WAF web ACL to block all IPs except the partners'. Associate it with the API. Create a resource policy to throttle requests and attach it to the API. Require an API key for the GET method.
D

Create an AWS WAF web ACL to allow only the partners' IP addresses. Associate it with the API. Create a usage plan with a request limit and link it to the API. Generate an API key and add it to the usage plan.

Explanation

Answer D is correct because:
1. AWS WAF Web ACL: Restricts access to only the partners' IP addresses, blocking the botnet's global IPs.
2. Usage Plan with Request Limit: Enforces a daily request limit (aligned with the partners' once-daily retrieval), preventing abuse even if credentials are compromised.
3. API Key Authentication: Adds an additional security layer, ensuring only authorized clients with valid keys can access the API.

Why other options are incorrect:
- A: Rate-limiting via WAF (2 requests/day) is ineffective against distributed botnets. CloudFront adds unnecessary cost.
- B: CloudFront increases costs. Custom headers/API keys are redundant if IPs are already whitelisted.
- C: Resource policies for throttling are less precise than usage plans. WAF alone cannot enforce daily request limits.

Key Points:
- Use WAF IP whitelisting to block unauthorized traffic.
- Usage plans + API keys enforce request quotas and authentication.
- Avoid CloudFront unless required for caching/edge optimization.

Answer

The correct answer is: D