AWS Certified Solutions Architect – Professional (SAP-C02) — Question 363

A company is developing a web application that runs on Amazon EC2 instances in an Auto Scaling group behind a public-facing Application Load Balancer (ALB). Only users from a specific country are allowed to access the application. The company needs the ability to log the access requests that have been blocked. The solution should require the least possible maintenance.

Which solution meets these requirements?

Answer options

• A. Create an IPSet containing a list of IP ranges that belong to the specified country. Create an AWS WAF web ACL. Configure a rule to block any requests that do not originate from an IP range in the IPSet. Associate the rule with the web ACL. Associate the web ACL with the ALB.
• B. Create an AWS WAF web ACL. Configure a rule to block any requests that do not originate from the specified country. Associate the rule with the web ACL. Associate the web ACL with the ALB.
• C. Configure AWS Shield to block any requests that do not originate from the specified country. Associate AWS Shield with the ALB.
• D. Create a security group rule that allows ports 80 and 443 from IP ranges that belong to the specified country. Associate the security group with the ALB.

Correct answer: B

Explanation

AWS WAF features native geographic match conditions that allow blocking requests based on country of origin with minimal maintenance, while easily logging blocked requests. Utilizing an IPSet in Option A or security groups in Option D requires manual tracking and updating of IP ranges, which introduces significant administrative overhead. AWS Shield, as mentioned in Option C, is a DDoS protection service and does not offer geographic access control or logging of blocked application-level requests.