AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 289

A company has proprietary data available by using an Amazon CloudFront distribution. The company needs to ensure that the distribution is accessible by only users from the corporate office that have a known set of IP address ranges. An AWS WAF web ACL is associated with the distribution and has a default action set to Count.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create a new regex pattern set. Add the regex pattern set to a new rule group. Create a new web ACL that has a default action set to Block. Associate the web ACL with the CloudFront distribution. Add a rule that allows traffic based on the new rule group.
• B. Create an AWS WAF IP address set that matches the corporate office IP address range. Create a new web ACL that has a default action set to Allow. Associate the web ACL with the CloudFront distribution. Add a rule that allows traffic from the IP address set.
• C. Create a new regex pattern set. Add the regex pattern set to a new rule group. Set the default action on the existing web ACL to Allow. Add a rule that has priority 0 that allows traffic based on the regex pattern set.
• D. Create a WAF IP address set that matches the corporate office IP address range. Set the default action on the existing web ACL to Block. Add a rule that has priority 0 that allows traffic from the IP address set.

Correct answer: D

Explanation

Option D is correct because modifying the existing AWS WAF web ACL requires less operational overhead than creating and associating a new one. Setting the default action to Block and adding a priority 0 rule to Allow traffic from the corporate IP address set correctly implements a whitelist strategy. Using an IP address set is the standard, built-in mechanism for IP filtering, whereas regex pattern sets (Options A and C) are unnecessary and add administrative complexity.