Answer-first summary for fast verification
Answer: Set up an AWS WAF web ACL with a rule to block requests not originating from the specified country. Associate this rule with the web ACL and then with the ALB.
The correct answer is B. AWS WAF supports geo-matching rules, which allow you to block requests based on their country of origin. This makes it unnecessary to manually manage IP ranges, simplifying maintenance. AWS Shield is primarily used for defending against DDoS attacks and does not offer granular geo-blocking capabilities, making option C incorrect. Option A's approach of using an IPSet introduces additional maintenance overhead by requiring manual updates of IP ranges. Option D, using security group rules, is not practical for this scenario as security groups do not log blocked access attempts and are not designed for complex request filtering based on geographical origin.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is developing a web application hosted on Amazon EC2 instances within an Auto Scaling group, fronted by a public-facing Application Load Balancer (ALB). The application is intended to be accessed exclusively by users from a specific country. The company requires a solution that not only restricts access to only these users but also logs any access attempts that are blocked. The solution should be as maintenance-free as possible. Which of the following solutions meets these requirements?
A
Create an IPSet in AWS WAF containing the IP ranges of the specified country. Configure an AWS WAF web ACL with a rule to block requests not originating from the IPSet. Associate this rule with the web ACL and then with the ALB.
B
Set up an AWS WAF web ACL with a rule to block requests not originating from the specified country. Associate this rule with the web ACL and then with the ALB.
C
Configure AWS Shield to block requests not originating from the specified country and associate AWS Shield with the ALB.
D
Create a security group rule allowing access on ports 80 and 443 from the IP ranges of the specified country and associate this security group with the ALB.