exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 752 discussion

A company is creating a REST API to share information with six of its partners based in the United States. The company has created an Amazon API Gateway
Regional endpoint. Each of the six partners will access the API once per day to post daily sales figures.
After initial deployment, the company observes 1,000 requests per second originating from 500 different IP addresses around the world. The company believes this traffic is originating from a botnet and wants to secure its API while minimizing cost.
Which approach should the company take to secure its API?

  • A. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Configure CloudFront with an origin access identity (OAI) and associate it with the distribution. Configure API Gateway to ensure only the OAI can run the POST method.
  • B. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Add a custom header to the CloudFront distribution populated with an API key. Configure the API to require an API key on the POST method.
  • C. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a resource policy with a request limit and associate it with the API. Configure the API to require an API key on the POST method.
  • D. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
mericov
Highly Voted 3 years, 2 months ago
D. - "A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them. The plan uses API keys to identify API clients and meters access to the associated API stages for each key. It also lets you configure throttling limits and quota limits that are enforced on individual client API keys." https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html
upvoted 18 times
...
Jupi
Highly Voted 3 years, 2 months ago
A - wrong. You can use WAF to protect your api gateway directly without cloudfront B - wrong. You can use WAF to protect your api gateway directly without cloudfront c - wrong. You can use api gateway resource policis to allow users from specified aws account, from specified IP ranges or CIDR blocks or from specified VPCs or VPC endpoints. request limit is not part of resource policies. d - correct. API gateway usage plans can limit the API access and be sure that the usage does not exceed thrsholds we define.
upvoted 15 times
...
tomosabc1
Most Recent 2 years, 2 months ago
Selected Answer: D
A(wrong): OAI is used only for S3. B(wrong): This is not possible to define a WAF web ACL rule to block clients that submit more than five requests per day, because " A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span...... The following caveats apply to AWS WAF rate-based rules: The minimum rate that you can set is 100. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior five minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it. AWS WAF can block up to 10,000 IP addresses. If more than 10,000 IP addresses send high rates of requests at the same time, AWS WAF will only block 10,000 of them. " https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 2 times
...
Kyperos
2 years, 4 months ago
CDN is also a way to prevent DDoS, this question focus to "500 unique IP addresses worldwide" so 500 IPs come from multiple Region in the world, so if you use Cloudfront, you will distribute DDoS Attack traffic to nearest PoPs and apply Rate Limiting on this PoPs. ----> Answer is B
upvoted 2 times
...
Jughead
2 years, 4 months ago
Selected Answer: D
D is the answer
upvoted 1 times
...
RVivek
2 years, 11 months ago
Why Not B ? Adding Cloud front provides AWS Shield service which is a free DDoS protection.https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc
upvoted 1 times
...
AzureDP900
3 years ago
Read both docs and choose your option. I am going with D https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html
upvoted 3 times
...
cldy
3 years ago
D. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.
upvoted 2 times
...
andylogan
3 years, 1 month ago
It's D
upvoted 2 times
...
tgv
3 years, 2 months ago
DDD ---
upvoted 2 times
...
blackgamer
3 years, 2 months ago
D is the answer
upvoted 2 times
...
denccc
3 years, 2 months ago
I'll go with D
upvoted 3 times
...
neta1o
3 years, 2 months ago
+1 to D, seems like usage plans support the referenced rate limits where resource policies don't.
upvoted 3 times
...
vjawscert
3 years, 2 months ago
My vote - D AB - Ignored as Cloudfront not required as its regional based resource. It is gonna add costs. Also WAF can directly sit on top of APIGW C - Incorrect as resource policies are used to restrict access and not to provide limit. Request limit is done with usage plan.
upvoted 6 times
...
zolthar_z
3 years, 2 months ago
I think is C, resource policy allows control the IP source: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html
upvoted 4 times
rb39
3 years ago
but you cannot define a limit in a resource policy, it's just allow/deny access
upvoted 2 times
...
...
pkboy78
3 years, 3 months ago
I think it is C.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago