Which strategy should a solutions architect use?
Use AWS Firewall Manager to control the CloudFront distribution security settings. Create a geographical block rule and associate it with Firewall Manager.
Associate an AWS WAF web ACL with the CloudFront distribution. Select the managed Amazon IP reputation rule group for the web ACL with a deny action.
Use AWS Firewall Manager to control the CloudFront distribution security settings. Select the managed Amazon IP reputation rule group and associate it with Firewall Manager with a deny action.
Associate an AWS WAF web ACL with the CloudFront distribution. Create a rule group for the web ACL with a geographical match statement with a deny action.
Explanations:
AWS Firewall Manager can manage WAF rules across multiple accounts and regions, but it is primarily used for managing security policies across an organization and does not directly offer geographical blocking.
Associating an AWS WAF web ACL with the CloudFront distribution and selecting the managed Amazon IP reputation rule group blocks requests from IPs with known bad reputations. This is an effective approach to prevent bot traffic.
AWS Firewall Manager can apply the managed IP reputation rule group but is mainly designed for managing security policies across accounts, which is not necessary in this scenario.
A geographical match statement only blocks access based on location, not IP reputation. It would likely block legitimate traffic from the region without targeting bot activity specifically.