Which solution will meet these requirements?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A company’s public website is hosted in an Amazon S3 bucket in the us-east-1 Region behind an Amazon CloudFront distribution.The company wants to ensure that the website is protected from DDoS attacks.A SysOps administrator needs to deploy a solution that gives the company the ability to maintain control over the rate limit at which DDoS protections are applied.

Which solution will meet these requirements?

Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.

Deploy an AWS WAF web ACL with an allow default action in us-east-1. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the S3 bucket.

Deploy a global-scoped AWS WAF web ACL with a block default action. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the CloudFront distribution.

Deploy an AWS WAF web ACL with a block default action in us-east-1. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the S3 bucket.

Explanations:

A global-scoped AWS WAF web ACL is appropriate for CloudFront distributions. The rate-based rule allows the administrator to control the rate limit for DDoS protections. By using the “allow” default action and blocking matching traffic, this solution provides granular control over rate limiting while maintaining the desired security posture.

AWS WAF should be associated with CloudFront, not directly with the S3 bucket. AWS WAF operates at the edge location level (CloudFront), not at the S3 bucket level, so this configuration would not work.

The default action of the WAF web ACL should be “allow,” not “block.” A block default action would block legitimate traffic by default, which is not ideal for rate-limiting scenarios. Additionally, the rate-based rule should be set to block matching traffic to prevent DDoS attacks, not to allow it.

Similar to option C, the default action should be “allow,” not “block,” to avoid inadvertently blocking legitimate traffic. Associating the WAF with the S3 bucket is also incorrect, as AWS WAF should be associated with CloudFront.

2025-10-11

1 Comment

  1. Jessica
    Author

    I rank that the answer is:
    Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 3 =