AWS Certified Security – Specialty — Question 234

A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet.
A security engineer needs to deny access from the offending IP addresses.
Which solution will meet these requirements?

Answer options

• A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
• B. Add a rule to all security groups to deny the incoming requests from the IP address range.
• C. Modify the AWS WAF web ACL with a rate-based rule statement to deny incoming requests from the IP address range.
• D. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the incoming requests based on the match condition.

Correct answer: A

Explanation

The correct answer is A because modifying the AWS WAF web ACL with an IP set match rule allows for specific IP ranges to be blocked directly at the application layer, which is effective against the identified port scans. Option B is incorrect since security groups operate at the instance level and cannot be used to block based on IP range at the load balancer level. Option C, while it addresses denial of requests, would not specifically target the IP range as effectively as an IP set match rule. Option D does not directly address the need to block IP addresses and is more suited for pattern matching rather than IP blocking.