AWS Certified Security – Specialty (SCS-C02) — Question 66

A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.

A security engineer needs to deny access from the offending IP addresses.

Which solution will meet these requirements?

Answer options

• A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
• B. Add a rule to all security groups to deny the incoming requests from the IP address range.
• C. Modify the AWS WAF web ACL with a rate-based rule statement to deny the incoming requests from the IP address range.
• D. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.

Correct answer: A

Explanation

The correct answer is A because modifying the AWS WAF web ACL with an IP set match rule directly addresses the requirement to deny requests from specific IP addresses. Options B and C do not utilize AWS WAF effectively for this purpose, as security groups are not ideal for blocking IP ranges in this context and rate-based rules are not specifically for single IP blocking. Option D involves regex match conditions, which are not necessary for simply blocking IP addresses.