A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website. The company’s security policy requires that all website traffic be inspected by AWS WAF.

How should the solutions architect comply with these requirements?

• A. Configure an S3 bucket policy to accept requests coming from the AWS WAF Amazon Resource Name (ARN) only.
• B. Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin.
• C. Configure a security group that allows Amazon CloudFront IP addresses to access Amazon S3 only. Associate AWS WAF to CloudFront.
• D. Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.

Un OAI permite restringir el acceso al bucket S3. Cuando se configura un OAI, se le da a CloudFront permiso para acceder al contenido del S3, mientras que las solicitudes directas al S3 (sin pasar por CloudFront) serán bloqueadas. Esta configuración asegura que todo el tráfico que llega a S3 pase siempre por CloudFront, lo que significa que puedes usar características como AWS WAF para inspeccionar ese tráfico antes de que llegue a tus recursos de S3.

A company’s web application is running on Amazon EC2 instances behind an Application Load Balancer. The company recently changed its policy, which now requires the application to be accessed from one specific country only.

Which configuration will meet this requirement?

• A. Configure the security group for the EC2 instances.
• B. Configure the security group on the Application Load Balancer.
• C. Configure AWS WAF on the Application Load Balancer in a VPC.
• D. Configure the network ACL for the subnet that contains the EC2 instances.

Puedes restringir geolocation address con el WAF, el resto de opciones no soporta esta implementación.

https://aws.amazon.com/about-aws/whats-new/2017/10/aws-waf-now-supports-geographic-match