4.1.3. Edge Controls and Rules (Geo, Rate Limiting, Fingerprinting)

First Principle: Edge rules enable granular control over who can access your resources based on geography, behavior patterns, and client characteristics — filtering illegitimate traffic before it consumes compute resources.

Geographic Controls:

• CloudFront Geo Restriction: Block or allow requests from specific countries based on IP geolocation
• WAF Geo-Match Condition: Create rules that match requests from specific countries, enabling complex logic (e.g., allow US but block if request rate exceeds threshold)
• Use case: block access from countries where you have no customers, or apply stricter scrutiny to regions with high attack traffic

Rate Limiting:

• WAF Rate-Based Rules: Block IPs that exceed a defined request threshold in a 5-minute window
• Minimum threshold: 100 requests per 5 minutes
• Can scope to specific URI paths, query strings, or headers
• Automatically unblocks when rate drops below threshold

Client Fingerprinting:

• WAF Bot Control: Uses browser fingerprinting, CAPTCHA challenges, and behavioral analysis to distinguish humans from bots
• Challenge actions: WAF can issue silent challenges (JavaScript) or visible CAPTCHAs
• Client IP reputation: WAF integrates with AWS threat intelligence to block known malicious IPs

⚠️ Exam Trap: WAF rate-based rules have a minimum threshold of 100 requests per 5 minutes. If a question requires blocking after fewer than 100 requests, you'll need a custom solution (e.g., Lambda@Edge counting requests).

Scenario: An e-commerce site experiences a credential stuffing attack from distributed IPs, each sending fewer than 50 login attempts. WAF rate-based rules alone can't block them because each IP is under the 100-request threshold. You add WAF Bot Control to detect and challenge automated login attempts.

Reflection Question: Why are rate-based rules insufficient against distributed attacks, and how does bot detection close this gap?