Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 170 discussion

Geographic (Geo) Match Conditions in AWS WAF. This new condition type allows you to use AWS WAF to restrict application access based on the geographic location of your viewers. With geo match conditions you can choose the countries from which AWS WAF should allow access. https://aws.amazon.com/about-aws/whats-new/2017/10/aws-waf-now-supports-geographic-match/

By configuring AWS WAF on the ALB in a VPC, you can apply access control rules based on the geographic location of the incoming requests. AWS WAF allows you to create rules that include conditions based on the IP addresses' country of origin. You can specify the desired country and deny access to requests originating from any other country by leveraging AWS WAF's Geo Match feature. Option A and option B focus on network-level access control and do not provide country-specific filtering capabilities. Option D is not the ideal solution for restricting access based on country. Network ACLs primarily control traffic at the subnet level based on IP addresses and port numbers, but they do not have built-in capabilities for country-based filtering.

Ans C - WAF with geo-match (region or country). https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html

C --> One of the feature of WAF is Access Control: Implement IP whitelisting and blacklisting to allow or block traffic from specific IP addresses or address ranges. This can be useful for restricting access to your web application to trusted users or regions.

Geographic (Geo) Match Conditions in AWS WAF. This new condition type allows you to use AWS WAF to restrict application access based on the geographic location of your viewers. With geo match conditions you can choose the countries from which AWS WAF should allow access. https://aws.amazon.com/about-aws/whats-new/2017/10/aws-waf-now-supports-geographic-match/

C. Configure AWS WAF on the Application Load Balancer in a VPC

We can use AWS WAF to configure access control rule to access from specific location.

Configure AWS WAF for Geo Match Policy

Source from an AWS link Geographic (Geo) Match Conditions in AWS WAF. This condition type allows you to use AWS WAF to restrict application access based on the geographic location of your viewers. With geo match conditions you can choose the countries from which AWS WAF should allow access.

WAF Shield Advanced for DDOS, GuardDuty is a continuous monitoring service that alerts you of potential threats, while Inspector is a one-time assessment service that provides a report of vulnerabilities and deviations from best practices.

To meet the requirement of allowing the web application to be accessed from one specific country only, the company should configure AWS WAF (Web Application Firewall) on the Application Load Balancer in a VPC (Option C). AWS WAF is a web application firewall service that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF allows you to create rules that block or allow traffic based on the values of specific request parameters, such as IP address, HTTP header, or query string value. By configuring AWS WAF on the Application Load Balancer and creating rules that allow traffic from a specific country, the company can ensure that the web application is only accessible from that country.

OptionC. Configure WAF for Geo Match Policy

C is correct

C https://aws.amazon.com/about-aws/whats-new/2017/10/aws-waf-now-supports-geographic-match/

C. WAF with ALB is the right option