Amazon Web Services chinesedumps legit Scs-c03 Exam Download by Sana q24 vce pdf

Page: 9 / 9

Amazon Web Services SCS-C03 Exam Overview :

Exam Name:	AWS Certified Security – Specialty
Exam Code:	SCS-C03 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Specialty
Questions:	126 Q&A's	Shared By:	sana

Question 36

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CloudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-effectively?

Options:

Create an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront distribution.

Create an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.

Use the geo restriction feature in CloudFront to deny the specific countries.

Use geolocation headers in CloudFront to deny the specific countries.

Discussion

Answer:

Explanation:

Amazon CloudFront includes a native geo restriction (geoblocking) capability that allows content owners to control access to their distributions based on the geographic location of the viewer. The viewer’s country is determined using the IP address from which the request originates. According to the AWS Certified Security – Specialty Official Study Guide and the Amazon CloudFront Developer Guide, geo restriction is specifically designed for scenarios where organizations must comply with regional regulations, licensing requirements, or data sovereignty policies.

From a cost perspective, CloudFront geo restriction is the most cost-effective solution because it is configured directly within the CloudFront distribution and does not require AWS WAF. AWS WAF introduces additional costs for web ACLs, rules, and request processing, which is unnecessary when the requirement is limited strictly to blocking or allowing access based on country.

Option A is incorrect because maintaining IP ranges for entire countries is operationally complex, error-prone, and not scalable. Country-level IP ranges frequently change, making this approach unsuitable and inefficient. Option B, although technically valid, is not the most cost-effective choice because AWS WAF geo match rules incur additional charges and are intended for advanced Layer 7 security controls such as application-layer attacks. Option D is incorrect because geolocation headers provided by CloudFront are informational only and cannot independently enforce access control decisions.

AWS documentation explicitly recommends CloudFront geo restriction when the sole requirement is country-based access control, reserving AWS WAF for advanced security inspection and threat mitigation use cases.

AWS Certified Security – Specialty Official Study Guide

Amazon CloudFront Developer Guide – Geo Restriction

AWS Well-Architected Framework – Security Pillar

AWS Security Best Practices Documentation

Question 37

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)

Options:

Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.

Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.

Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.

Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway as the target of the route.