AWS Certified Security – Specialty (SCS-C02) — Question 164

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Create an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront distribution.
• B. Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.
• C. Use the geo restriction feature in CloudFront to deny the specific countries.
• D. Use geolocation headers in CloudFront to deny the specific countries.

Correct answer: C

Explanation

The correct answer is C because using the geo restriction feature in CloudFront is a built-in, cost-effective solution specifically designed for blocking access from certain countries. Options A and B involve AWS WAF, which incurs additional costs and complexity, while option D is not a standard method for restricting traffic based on geographic location.