AWS Certified Solutions Architect – Associate (SAA-C02) — Question 6

A company serves content to its subscribers across the world using an application running on AWS. The application has several Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB). Due to a recent change in copyright restrictions, the chief information officer (CIO) wants to block access for certain countries.
Which action will meet these requirements?

Answer options

• A. Modify the ALB security group to deny incoming traffic from blocked countries.
• B. Modify the security group for EC2 instances to deny incoming traffic from blocked countries.
• C. Use Amazon CloudFront to serve the application and deny access to blocked countries.
• D. Use ALB listener rules to return access denied responses to incoming traffic from blocked countries.

Correct answer: C

Explanation

The correct answer is C because Amazon CloudFront allows you to set geographic restrictions, effectively blocking access from specified countries. Options A and B are incorrect as modifying security groups will not block traffic based on geographic location. Option D is also incorrect because while ALB listener rules can manage traffic, they do not provide a straightforward method for blocking entire countries.