Q78 — AWS SCS-C02 Ch.1
Question 78 of 100 | ← Chapter 1
A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet. A security engineer needs to deny access from the offending IP addresses. Which solution will meet these requirements?
- A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range. ✓
- B. Add a rule to all security groups to deny the incoming requests from the IP address range.
- C. Modify the AWS WAF web ACL with a rate-based rule statement to deny incoming requests from the IP address range.
- D. Configure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny incoming requests based on the match condition.
Correct Answer: A. Modify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests from the IP address range.
Explanation
题干涉及在AWS环境中阻止特定IP地址范围的访问。问题的核心在于选择正确的AWS服务功能来实施阻止措施。AWS WAF提供的IP set match规则允许直接基于源IP地址范围过滤请求,适用于需要屏蔽已知恶意IP的场景。安全组(选项B)通常用于实例级别的流量控制,但管理多个安全组效率低且可能遗漏。速率规则(选项C)针对请求频率而非固定IP范围。正则匹配(选项D)用于检查请求内容而非IP地址。AWS官方文档明确指出,IP匹配规则是处理此类需求的标准方法。选项A直接对应这一功能,有效阻断指定IP访问。