Question 745 of 1,040
Design Secure ArchitectureshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to add an AWS WAF rate-based rule to the CloudFront distribution and configure it to block the source IP after the threshold is exceeded. This is correct because rate-based rules automatically track the request rate from each client IP over a 5-minute sliding window, and once the specified threshold is breached, AWS WAF blocks that IP at the CloudFront edge location. This enforcement at the edge is crucial—it stops excessive traffic as close to the client as possible, preventing upstream saturation of the API backend. On the SAA-C03 exam, this scenario tests your understanding of combining CloudFront with AWS WAF for DDoS mitigation and traffic shaping; a common trap is choosing a NACL or security group, which operate at the VPC level and cannot block based on request rate. Remember the memory tip: “Rate at the Edge”—rate-based rules on CloudFront block bad IPs at the edge, not at the origin.

SAA-C03 Design Secure Architectures Practice Question

This SAA-C03 practice question tests your understanding of design secure architectures. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

CloudFront access log excerpt:
2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 112ms
2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 109ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 111ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 108ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 110ms

Security requirement:
- Automatically mitigate high-rate requests from a single source IP
- Keep the protection at the edge

Based on the exhibit, a public API is behind CloudFront and is experiencing bursts of requests from the same client IP, causing upstream saturation. The team wants AWS to automatically block that IP when the request rate becomes excessive while keeping enforcement as close to the client as possible. Which control should they add?

Question 1hardmultiple choice
Full question →

Exhibit

CloudFront access log excerpt:
2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 112ms
2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 109ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 111ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 108ms
2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 110ms

Security requirement:
- Automatically mitigate high-rate requests from a single source IP
- Keep the protection at the edge

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Add an AWS WAF rate-based rule to the CloudFront distribution and configure it to block the source IP after the threshold is exceeded.

AWS WAF rate-based rules are designed to automatically block IP addresses that exceed a specified request rate within a 5-minute evaluation window. By attaching this rule to a CloudFront distribution, enforcement occurs at the edge location closest to the client, preventing excessive requests from reaching the upstream API and mitigating saturation.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Add an AWS WAF rate-based rule to the CloudFront distribution and configure it to block the source IP after the threshold is exceeded.

    Why this is correct

    AWS WAF rate-based rules are purpose-built for this use case. They evaluate the HTTP request rate from a source IP over a sliding window and can automatically block, CAPTCHA, or count when the threshold is exceeded. Attaching the Web ACL to CloudFront enforces the control at the edge, so abusive requests are stopped before they reach the origin and consume upstream capacity.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Add a network ACL rule that denies the source IP after five requests are observed.

    Why it's wrong here

    Network ACLs are stateless, subnet-level packet filters. They cannot count HTTP requests, apply sliding-window thresholds, or dynamically change based on application-layer behavior. They also do not sit at the CloudFront edge, so they cannot satisfy the requirement to automatically mitigate excessive request rates at the edge.

  • Enable AWS Shield Advanced and create a custom protection group for the single IP address.

    Why it's wrong here

    AWS Shield Advanced is designed for DDoS detection and mitigation, especially for volumetric and infrastructure-layer attacks. It does not provide the direct HTTP request-rate thresholding and IP-based blocking behavior required here. For edge HTTP filtering and automatic rate limiting, AWS WAF rate-based rules are the correct service.

  • Place the API behind a security group rule that allows only the current client IP range.

    Why it's wrong here

    Security groups are static, stateful network controls for ENIs. They do not inspect HTTP request rates or react to bursts of traffic from a single IP. They also cannot implement edge-based application-layer blocking for a CloudFront-fronted API.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is confusing stateless network ACLs or static security groups with the automatic, rate-aware blocking capability of AWS WAF, leading candidates to choose a manual or non-scalable solution.

Detailed technical explanation

How to think about this question

AWS WAF rate-based rules use a token bucket algorithm where each request from a source IP increments a counter, and the rule triggers when the count exceeds the configured threshold within a 5-minute sliding window. The rule is evaluated at CloudFront edge locations, meaning blocking happens before traffic reaches the origin, reducing latency and upstream load. A common real-world scenario is protecting APIs from web scraping or brute-force attacks where a single IP sends thousands of requests per minute.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAA-C03 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Design Secure Architectures — This question tests Design Secure Architectures — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Add an AWS WAF rate-based rule to the CloudFront distribution and configure it to block the source IP after the threshold is exceeded. — AWS WAF rate-based rules are designed to automatically block IP addresses that exceed a specified request rate within a 5-minute evaluation window. By attaching this rule to a CloudFront distribution, enforcement occurs at the edge location closest to the client, preventing excessive requests from reaching the upstream API and mitigating saturation.

What should I do if I get this SAA-C03 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SAA-C03

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Based on the exhibit, a public API is behind CloudFront. A single client IP is sending bursts of requests that are overwhelming the origin, and the team wants AWS to automatically mitigate the abuse at the edge without changing the application code. What should the team do?

hard
  • A.Associate an AWS WAF web ACL with CloudFront and add a rate-based rule for the offending IP behavior.
  • B.Increase the ALB idle timeout to allow the origin to absorb more concurrent requests.
  • C.Add an Amazon Route 53 health check to fail over traffic to another DNS name.
  • D.Enable AWS Shield Advanced and rely on automatic DDoS protection for all request bursts.

Why A: AWS WAF rate-based rules automatically block or rate-limit requests from a client IP when the request rate exceeds a threshold you define. By associating the web ACL with CloudFront, the rule is enforced at the edge before traffic reaches the origin, mitigating abuse without modifying application code.

Keep practising

More SAA-C03 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.