This is a classic Layer 7 rate-limiting requirement tied toclient IPand atime window, and AWS WAF provides this natively withrate-based rules. Placing AWS WAF in front of the ALB allows the company to count requests per source IP over a rolling window and take action (block, CAPTCHA/challenge, or count depending on configuration) once the threshold is exceeded. This approach mitigates scanning and application-layer request floods early, before requests consume EC2 or DynamoDB capacity, and it requires minimal custom code or operational work.

Options B and C require building and maintaining custom counting logic (either in Lambda or in the application), which increases complexity and risk of errors, and it also introduces operational overhead for scaling state tracking across many IPs. Option D is not appropriate: altering DynamoDB capacity does not enforce “per-IP reads,” and storing per-request metadata in the same table is an anti-pattern that increases write load and complexity.

Therefore, using AWS WAF rate-based protection at the ALB is the least-effort, most effective solution.