Q79 — AWS SOA-C02 Ch.1
Question 79 of 100 | ← Chapter 1
A company's public website is hosted in an Amazon S3 bucket in the us-east-1 Region behind an Amazon CloudFront distribution. The company wants to ensure that the website is protected from DDoS attacks. A SysOps administrator needs to deploy a solution that gives the company the ability to maintain control over the rate limit at which DDoS protections are applied. Which solution will meet these requirements?
- A. Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution. ✓
- B. Deploy an AWS WAF web ACL with an allow default action in us-east-1. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the S3 bucket.
- C. Deploy a global-scoped AWS WAF web ACL with a block default action. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the CloudFront distribution.
- D. Deploy an AWS WAF web ACL with a block default action in us-east-1. Configure an AWS WAF rate-based rule to allow matching traffic. Associate the web ACL with the S3 bucket.
Correct Answer: A. Deploy a global-scoped AWS WAF web ACL with an allow default action. Configure an AWS WAF rate-based rule to block matching traffic. Associate the web ACL with the CloudFront distribution.
Explanation
AWS WAF与Amazon CloudFront集成用于防御DDoS攻击的场景。AWS官方文档指出,WAF的速率限制规则需关联到CloudFront分发,且全局作用域的Web ACL适用于跨区域资源。选项A正确配置了全局Web ACL,默认允许流量,仅对超出速率限制的请求执行阻断。其他选项中,B错误将Web ACL关联至S3而非CloudFront;C和D的默认阻断动作可能导致合法流量被拦截,且未正确应用速率规则。