Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
Exhibit
{
"cloudfront_log_sample": [
"2026-04-27T09:14:01Z c-ip=203.0.113.44 uri=/api/search 1",
"2026-04-27T09:14:02Z c-ip=203.0.113.44 uri=/api/search 1",
"2026-04-27T09:14:02Z c-ip=203.0.113.44 uri=/api/search 1"
],
"origin_metrics": {
"5xxErrorRate": "spiking",
"ALBRequestCount": "high",
"single_source_ip_percentage": "82%"
},
"waf_status": "No Web ACL associated with the CloudFront distribution"
}Based on the exhibit, a public API is behind CloudFront. A single client IP is sending bursts of requests that are overwhelming the origin, and the team wants AWS to automatically mitigate the abuse at the edge without changing the application code. What should the team do?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Associate an AWS WAF web ACL with CloudFront and add a rate-based rule for the offending IP behavior.
AWS WAF is the right control at the CloudFront edge because it can inspect requests before they reach the origin and enforce a rate-based rule on abusive traffic patterns. A rate-based rule can automatically count requests by source IP and block or challenge requests that exceed the configured threshold, which directly addresses the burst traffic shown in the logs. This meets the requirement to mitigate at the edge without any application changes.
B
Distractor review
Increase the ALB idle timeout to allow the origin to absorb more concurrent requests.
ALB idle timeout affects how long an existing connection can remain open, not how many requests a hostile client can generate. Increasing it may actually increase resource consumption at the origin instead of stopping the abuse.
C
Distractor review
Add an Amazon Route 53 health check to fail over traffic to another DNS name.
Route 53 health checks and failover are used for endpoint availability and regional failover, not for filtering or rate-limiting abusive requests from a single client IP. This would not stop the malicious traffic from reaching the origin.
D
Distractor review
Enable AWS Shield Advanced and rely on automatic DDoS protection for all request bursts.
AWS Shield Advanced is useful for broader DDoS resiliency, especially for large-scale network and transport layer attacks, but the precise control for this HTTP request pattern is AWS WAF with a rate-based rule. The scenario calls for request-level edge filtering, not only infrastructure-level DDoS protection.
Common exam trap
Common exam trap: NAT rules depend on direction and matching traffic
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Technical deep dive
How to think about this question
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
KKey Concepts to Remember
- Static NAT maps one inside address to one outside address.
- PAT allows many inside hosts to share one public address using ports.
- Inside local and inside global describe the private and translated addresses.
- NAT ACLs identify traffic for translation, not always security filtering.
TExam Day Tips
- Identify inside and outside interfaces first.
- Check whether the scenario needs static NAT, dynamic NAT or PAT.
- Do not confuse NAT matching ACLs with normal packet-filtering intent.
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?
Question 2
A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?
Question 3
A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
Question 4
A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Question 5
A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Question 6
A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
FAQ
Questions learners often ask
What does this SAA-C03 question test?
Static NAT maps one inside address to one outside address.
What is the correct answer to this question?
The correct answer is: Associate an AWS WAF web ACL with CloudFront and add a rate-based rule for the offending IP behavior. — The logs show that a single source IP is generating repeated requests and driving origin errors. The best place to stop that traffic is at CloudFront, before requests reach the ALB or application. AWS WAF can be attached to the CloudFront distribution and configured with a rate-based rule to automatically block or limit requests from the abusive IP behavior. That satisfies the requirement to mitigate abuse at the edge without changing application code. Changing the ALB idle timeout does not reduce request volume from a hostile client. Route 53 health checks are for failover, not request filtering. Shield Advanced adds useful protection against broad DDoS attacks, but it does not replace a targeted WAF rate-based rule for a specific abusive source pattern.
What should I do if I get this SAA-C03 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.