Ends in

Get $3 OFF ALL CCP, SAA, CDA, and SysOps Video Courses!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Associate Possibly misleading question about WAF

  • Possibly misleading question about WAF

  • an-user

    March 2, 2022 at 6:06 am

    Relevant parts bolded. My justification below the question.

    Category: CSAA – Design Secure Applications and Architectures

    A company hosted an e-commerce website on an Auto Scaling group of EC2 instances behind an Application Load Balancer. The Solutions Architect noticed that the website is receiving a large number of illegitimate external requests from multiple systems with IP addresses that constantly change. To resolve the performance issues, the Solutions Architect must implement a solution that would block the illegitimate requests with minimal impact on legitimate traffic.

    Which of the following options fulfills this requirement?

    Answer marked as correct: Create a rate-based rule in AWS WAF and associate the web ACL to an Application Load Balancer.

    Why I think this is wrong:

    The question states that the IP addresses constantly change and come from multiple systems. <b style=”font-family: inherit; font-size: inherit;”>WAF rate based rules won’t work if the IP addresses change constantly, as they are based on the rate of requests for each unique source IP address. Thus, no individual IP address will register as having a high rate, and the rule will still allow the illegitimate requests through. Also, this sounds like a DDoS attack, for which AWS Shield or Shield Advanced is the correct service.

    If I’m mistaken, my apologies.

  • Carlo-TutorialsDojo

    March 3, 2022 at 6:03 am

    Hello an-user,

    Thanks for your feedback.

    Using WAF is still valid. Providing an IP address to whitelist/blacklist is optional; you can set and combine conditions other than IP matching such as inspecting for a specific header value, query parameters, body, method, etc. Matching requests will also count towards the rate-limit threshold that you configure. It’s also possible that the suspicious IP addresses are within the same CIDR range. If this is the case, you can set a range of IP addresses to block when creating a rule.


    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018