AWS Certified Solutions Architect – Professional — Question 472

A company is developing a web application that runs on Amazon EC2 instances in an Auto Scaling group behind a public-facing Application Load Balancer (ALB).
Only users from a specific country are allowed to access the application. The company needs the ability to log the access requests that have been blocked. The solution should require the least possible maintenance.
Which solution meets these requirements?

Answer options

• A. Create an IPSet containing a list of IP ranges that belong to the specified country. Create an AWS WAF web ACL. Configure a rule to block any requests that do not originate from an IP range in the IPSet. Associate the rule with the web ACL. Associate the web ACL with the ALB.
• B. Create an AWS WAF web ACL. Configure a rule to block any requests that do not originate from the specified country. Associate the rule with the web ACL. Associate the web ACL with the ALB.
• C. Configure AWS Shield to block any requests that do not originate from the specified country. Associate AWS Shield with the ALB.
• D. Create a security group rule that allows ports 80 and 443 from IP ranges that belong to the specified country. Associate the security group with the ALB.

Correct answer: B

Explanation

AWS WAF natively supports geographic matching conditions, which allows administrators to block traffic from specific countries with minimal maintenance because AWS automatically manages the IP-to-country mappings. Options A and D require manually managing and updating IP ranges, which introduces high administrative overhead. AWS Shield (Option C) is a DDoS protection service and cannot be used for country-based access control.