AWS Certified Security – Specialty — Question 485

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.
Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Create an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront distribution.
• B. Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.
• C. Use the geo restriction feature in CloudFront to deny the specific countries.
• D. Use geolocation headers in CloudFront to deny the specific countries.

Correct answer: C

Explanation

Using the native geo restriction feature in Amazon CloudFront is the most cost-effective solution because it is provided at no additional cost. Implementing AWS WAF (Options A and B) would incur extra charges for web ACL creation and request processing. Utilizing geolocation headers (Option D) requires additional application-level logic and compute resources to evaluate and block the traffic, which is more complex and less cost-effective.