Which solution will meet these requirements?
Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.
Deploy an AWS WAF web ACL with an allow default action in us-east-1. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the S3 bucket.
Deploy a global-scoped AWS WAF web ACL with a block default action. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the CloudFront distribution.
Deploy an AWS WAF web ACL with a block default action in us-east-1. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the S3 bucket.
Explanations:
A global-scoped AWS WAF web ACL is appropriate for CloudFront distributions. The rate-based rule allows the administrator to control the rate limit for DDoS protections. By using the “allow” default action and blocking matching traffic, this solution provides granular control over rate limiting while maintaining the desired security posture.
AWS WAF should be associated with CloudFront, not directly with the S3 bucket. AWS WAF operates at the edge location level (CloudFront), not at the S3 bucket level, so this configuration would not work.
The default action of the WAF web ACL should be “allow,” not “block.” A block default action would block legitimate traffic by default, which is not ideal for rate-limiting scenarios. Additionally, the rate-based rule should be set to block matching traffic to prevent DDoS attacks, not to allow it.
Similar to option C, the default action should be “allow,” not “block,” to avoid inadvertently blocking legitimate traffic. Associating the WAF with the S3 bucket is also incorrect, as AWS WAF should be associated with CloudFront.