AWS Certified Solutions Architect – Professional — Question 570

A company maintains a restaurant review website. The website is a single-page application where files are stored in Amazon S3 and delivered using Amazon
CloudFront. The company receives several fake postings every day that are manually removed.
The security team has identified that most of the fake posts are from bots with IP addresses that have a bad reputation within the same global region. The team needs to create a solution to help restrict the bots from accessing the website.
Which strategy should a solutions architect use?

Answer options

• A. Use AWS Firewall Manager to control the CloudFront distribution security settings. Create a geographical block rule and associate it with Firewall Manager.
• B. Associate an AWS WAF web ACL with the CloudFront distribution. Select the managed Amazon IP reputation rule group for the web ACL with a deny action.
• C. Use AWS Firewall Manager to control the CloudFront distribution security settings. Select the managed Amazon IP reputation rule group and associate it with Firewall Manager with a deny action.
• D. Associate an AWS WAF web ACL with the CloudFront distribution. Create a rule group for the web ACL with a geographical match statement with a deny action.

Correct answer: B

Explanation

AWS WAF can be associated directly with an Amazon CloudFront distribution to filter incoming traffic. The managed Amazon IP reputation rule group is specifically designed to block requests from known malicious IP addresses and bots. Geographic blocking (options A and D) is incorrect because the bots share the same global region as legitimate users, and AWS Firewall Manager (options A and C) is unnecessary overhead for managing security on a single CloudFront distribution.