Explanation:
The right approach is to enforce country blocking in AWS WAF and create an explicit allow list for the exception. Using Add an AWS WAF geo match rule that blocks the specified countries applies the necessary geographic restrictions, and pairing it with Use an AWS WAF IP set that lists the contractor team public IPs to allow permits the trusted QA users to access the site despite the country block. Create deny entries for those countries in the VPC network ACLs is not viable because NACLs cannot evaluate geolocation and therefore cannot block traffic by country. Configure Application Load Balancer listener rules to block countries is incorrect since ALB listener rules do not offer geo-based filtering. This capability belongs to AWS WAF. Amazon CloudFront alone is insufficient because, although it can enforce geo restrictions, it does not provide the necessary IP-based exception in this architecture without additional WAF rules and architectural changes. Country-based filtering and granular IP allow lists are core AWS WAF functions on ALB-integrated apps. For exceptions to geo blocks, use an IP set allow list and pay attention to WAF rule order so the allow list is evaluated before the geo block.
Ultimate access to all questions.
A digital publishing platform must block traffic from select countries to comply with regional rights, but an eight-person QA team operating from one of those countries still needs access for testing. The application runs on Amazon EC2 behind an Application Load Balancer, and AWS WAF is already associated with the load balancer. Which combination of controls should be implemented to satisfy these requirements? (Choose 2)
A
Use an AWS WAF IP set that lists the contractor team public IPs to allow
B
Create deny entries for those countries in the VPC network ACLs
C
Add an AWS WAF geo match rule that blocks the specified countries
D
Configure Application Load Balancer listener rules to block countries
E
Amazon CloudFront
No comments yet.