A company’s website is used to sell products to the public. The site runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). There is also an Amazon CloudFront distribution, and AWS WAF is being used to protect against SQL injection attacks. The ALB is the origin for the CloudFront distribution. A recent review of security logs revealed an external malicious IP that needs to be blocked from accessing the website. What should a solutions architect do to protect the application?
Choose an answer
Tap an option to check your answer.
Correct answer: Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address..
Why this is the answer
The correct solution is to modify AWS WAF to add an IP match condition to block the malicious IP address. AWS WAF is designed to protect web applications from common web exploits and can be configured to block specific IP addresses. Since CloudFront is the origin for the ALB, and AWS WAF is already protecting the CloudFront distribution, this is the most effective and direct way to block the malicious IP at the edge before it reaches the application. Modifying the network ACL on the CloudFront distribution is not possible as CloudFront distributions do not have network ACLs in the traditional sense. Modifying network ACLs or security groups for the EC2 instances or the ALB would be less effective because the malicious traffic would still reach CloudFront and potentially the ALB before being blocked, consuming resources unnecessarily.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed