AWS Certified SysOps Administrator – Associate — Question 435

A company's public website is hosted in an Amazon S3 bucket in the us-east-1 Region behind an Amazon CloudFront distribution. The company wants to ensure that the website is protected from DDoS attacks. A SysOps administrator needs to deploy a solution that gives the company the ability to maintain control over the rate limit at which DDoS protections are applied.
Which solution will meet these requirements?

Answer options

• A. Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.
• B. Deploy an AWS WAF web ACL with an allow default action in us-east-1. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the S3 bucket.
• C. Deploy a global-scoped AWS WAF web ACL with a block default action. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the CloudFront distribution.
• D. Deploy an AWS WAF web ACL with a block default action in us-east-1. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the S3 bucket.

Correct answer: A

Explanation

To protect a CloudFront distribution, you must deploy a global-scoped AWS WAF web ACL because CloudFront is a global service, whereas regional web ACLs cannot be associated with it. The correct configuration is to allow traffic by default and use a rate-based rule to block clients that exceed the specified request threshold. Associating the web ACL with the S3 bucket directly is incorrect because AWS WAF cannot be attached directly to Amazon S3 buckets.