ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 35 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 35
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company's website is used to sell products to the public. The site runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer
(ALB). There is also an Amazon CloudFront distribution, and AWS WAF is being used to protect against SQL injection attacks. The ALB is the origin for the
CloudFront distribution. A recent review of security logs revealed an external malicious IP that needs to be blocked from accessing the website.
What should a solutions architect do to protect the application?

  • A. Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address.
  • B. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.
  • C. Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
  • D. Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
If you want to allow or block web requests based on the IP addresses that the requests originate from, create one or more IP match conditions. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those IP addresses.
AWS Web Application Firewall (WAF) ג€" Helps to protect your web applications from common application-layer exploits that can affect availability or consume excessive resources. As you can see in my post (New ג€" AWS WAF), WAF allows you to use access control lists (ACLs), rules, and conditions that define acceptable or unacceptable requests or IP addresses. You can selectively allow or deny access to specific parts of your web application and you can also guard against various SQL injection attacks. We launched WAF with support for Amazon CloudFront.
Reference:
https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-loadbalancers/ https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-ip-conditions.html https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-ip-conditions.html https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/
by Tom_0123 at June 4, 2020, 1:04 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
eug45
Highly Voted 3 years, 8 months ago
CORRECT: "Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address" is the correct answer. INCORRECT: "Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address" is incorrect as CloudFront does not sit within a subnet so network ACLs do not apply to it. INCORRECT: "Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP address" is incorrect as the source IP addresses of the data in the EC2 instances’ subnets will be the ELB IP addresses. INCORRECT: "Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address." is incorrect as you cannot create deny rules with security groups.
upvoted 163 times
Yvette_Lau
3 years, 8 months ago
I love your explanation, Thank you
upvoted 3 times
...
Ifebobo3
2 years, 11 months ago
Great explanation! Thank you so much.
upvoted 1 times
...
Lionnaire
3 years, 8 months ago
I appreciate the time you take to provide explanation why a response is correct or incorrect.
upvoted 15 times
...
a1sinceday1
2 years, 9 months ago
appreciate you friend
upvoted 1 times
...
...
Tom_0123
Highly Voted 3 years, 8 months ago
NACL is within the VPC. You can block the IP much before it reaches the VPC using WAF. Answer should be B.
upvoted 47 times
aguy9
3 years, 7 months ago
I agree with B
upvoted 2 times
...
...
Vibes
Most Recent 3 years, 7 months ago
B is right
upvoted 2 times
...
karthisena
3 years, 7 months ago
Explanation: A new version of the AWS Web Application Firewall was released in November 2019. With AWS WAF classic you create "IP match conditions", whereas with AWS WAF (new version) you create "IP set match statements". Look out for wording on the exam. The IP match condition / IP set match statement inspects the IP address of a web request's origin against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from. AWS WAF supports all IPv4 and IPv6 address ranges. An IP set can hold up to 10,000 IP addresses or IP address ranges to check. CORRECT: "Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address" is the correct answer.
upvoted 5 times
...
woke
3 years, 7 months ago
B. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.
upvoted 3 times
...
reliquary
3 years, 7 months ago
this came up in my exam taken 3 June 2021 i picked B
upvoted 3 times
DarexTech100
3 years, 7 months ago
Please can you still remember some of the exam questions for general discussion? I am getting ready for my exam next week. Thanks.
upvoted 1 times
...
...
KK_uniq
3 years, 7 months ago
B for sure since CF does not have NACL applicable
upvoted 1 times
...
syu31svc
3 years, 7 months ago
Correct answer is B as AWS WAF can be configured to block based on the IP match condition. https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-common-attacks/
upvoted 2 times
...
mryala
3 years, 7 months ago
it's B
upvoted 1 times
...
Yogi
3 years, 7 months ago
Ans = B
upvoted 1 times
...
Ankitrathi85
3 years, 7 months ago
B right
upvoted 1 times
...
fwfw
3 years, 7 months ago
BBB WAF support blocking IP in several ways https://aws.amazon.com/waf/getting-started/
upvoted 1 times
...
qurren
3 years, 7 months ago
B is correct, and for C is not correct because EC2 can only see ALB's IP address, not client IP
upvoted 1 times
...
myutran
3 years, 7 months ago
answer : B
upvoted 1 times
...
AEN
3 years, 7 months ago
Ans is B
upvoted 1 times
...
arunchu
3 years, 7 months ago
I agree with B
upvoted 1 times
...
anpt
3 years, 8 months ago
BBBBBBBBBBBB
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel