Question #1768
A company’s web application runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application is fronted by a CloudFront distribution with the ALB as its origin. AWS WAF is configured to mitigate cross-site scripting (XSS) attacks. Security logs recently identified a malicious external IP address that must be blocked from accessing the application.
What should a solutions architect do to block the malicious IP address effectively?
Update the network ACL associated with the CloudFront distribution to include a deny rule for the malicious IP address.
Modify the AWS WAF configuration to add an IP match condition that blocks the malicious IP address.
Update the network ACL for the EC2 instances in the ALB\u2019s target groups to deny traffic from the malicious IP address.
Modify the security groups for the EC2 instances in the ALB\u2019s target groups to deny ingress traffic from the malicious IP address.
Explanation
Answer B is correct because AWS WAF is designed to block malicious requests at the application layer (Layer 7). Since the application uses CloudFront (which integrates with AWS WAF), adding an IP match condition to block the malicious IP ensures requests from that IP are blocked before reaching the ALB or EC2 instances.
Option A is incorrect because network ACLs are associated with VPC subnets, not CloudFront distributions. Option C and D are incorrect because network ACLs and security groups operate at the network layer (Layer 3/4) and cannot block traffic based on the original client IP when using an ALB. The ALB forwards traffic to EC2 instances using its own IP, so the EC2 instances only see the ALB's IP, not the client's original IP. AWS WAF is the proper tool for blocking specific client IPs in this architecture.
Answer
The correct answer is: B