SCS-C02 Question #93: Real Exam Question with Answer & Explanation

Question

A company is hosting multiple applications within a single VPC in its AWS account. The applications are running behind an Application Load Balancer that is associated with an AWS WAF web ACL. The company's security team has identified that multiple port scans are originating from a specific range of IP addresses on the internet. A security engineer needs to deny access from the offending IP addresses. Which solution will meet these requirements?

Options

• AModify the AWS WAF web ACL with an IP set match rule statement to deny incoming requests
• BAdd a rule to all security groups to deny the incoming requests from the IP address range.
• CModify the AWS WAF web ACL with a rate-based rule statement to deny the incoming requests
• DConfigure the AWS WAF web ACL with regex match conditions. Specify a pattern set to deny the

Explanation

An AWS WAF IP set match rule directly matches a CIDR range and blocks all requests from those addresses, which is the correct tool for blocking known malicious IP ranges.

Common mistakes.

• B. Modifying security groups across all instances is operationally intensive, error-prone, and does not scale when multiple IP ranges or future attacks are involved.
• C. A rate-based rule blocks IPs that exceed a request rate threshold, not specific IP ranges; it would not block slow port scans that stay below the rate limit.
• D. Regex match conditions evaluate patterns within request content such as URIs or headers, not source IP addresses, making this the wrong rule type for IP-based blocking.

Concept tested. AWS WAF IP set match rule for IP range blocking

Reference. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html

No community discussion yet for this question.