Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
Exhibit
CloudFront access log excerpt: 2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 112ms 2026-04-27T10:15:12Z 203.0.113.24 GET /api/orders 200 109ms 2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 111ms 2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 108ms 2026-04-27T10:15:13Z 203.0.113.24 GET /api/orders 200 110ms Security requirement: - Automatically mitigate high-rate requests from a single source IP - Keep the protection at the edge
Based on the exhibit, a public API is behind CloudFront and is experiencing bursts of requests from the same client IP, causing upstream saturation. The team wants AWS to automatically block that IP when the request rate becomes excessive while keeping enforcement as close to the client as possible. Which control should they add?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Add an AWS WAF rate-based rule to the CloudFront distribution and configure it to block the source IP after the threshold is exceeded.
AWS WAF rate-based rules are purpose-built for this use case. They evaluate the HTTP request rate from a source IP over a sliding window and can automatically block, CAPTCHA, or count when the threshold is exceeded. Attaching the Web ACL to CloudFront enforces the control at the edge, so abusive requests are stopped before they reach the origin and consume upstream capacity.
B
Distractor review
Add a network ACL rule that denies the source IP after five requests are observed.
Network ACLs are stateless, subnet-level packet filters. They cannot count HTTP requests, apply sliding-window thresholds, or dynamically change based on application-layer behavior. They also do not sit at the CloudFront edge, so they cannot satisfy the requirement to automatically mitigate excessive request rates at the edge.
C
Distractor review
Enable AWS Shield Advanced and create a custom protection group for the single IP address.
AWS Shield Advanced is designed for DDoS detection and mitigation, especially for volumetric and infrastructure-layer attacks. It does not provide the direct HTTP request-rate thresholding and IP-based blocking behavior required here. For edge HTTP filtering and automatic rate limiting, AWS WAF rate-based rules are the correct service.
D
Distractor review
Place the API behind a security group rule that allows only the current client IP range.
Security groups are static, stateful network controls for ENIs. They do not inspect HTTP request rates or react to bursts of traffic from a single IP. They also cannot implement edge-based application-layer blocking for a CloudFront-fronted API.
Common exam trap
Common exam trap: ACLs stop at the first match
ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.
Technical deep dive
How to think about this question
ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.
KKey Concepts to Remember
- Standard ACLs match source addresses.
- Extended ACLs can match source, destination, protocol and ports.
- The first matching ACL entry is used.
- There is usually an implicit deny at the end.
TExam Day Tips
- Check inbound versus outbound direction.
- Read the ACL from top to bottom.
- Look for a broader permit or deny above the intended line.
Related practice questions
Related SAA-C03 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?
Question 2
A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?
Question 3
A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.
Question 4
A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
Question 5
A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?
Question 6
A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
FAQ
Questions learners often ask
What does this SAA-C03 question test?
Standard ACLs match source addresses.
What is the correct answer to this question?
The correct answer is: Add an AWS WAF rate-based rule to the CloudFront distribution and configure it to block the source IP after the threshold is exceeded. — AWS WAF rate-based rules are the right fit because they operate at the HTTP request layer and can automatically block traffic from a source IP after the configured threshold is exceeded. By attaching the Web ACL to the CloudFront distribution, the control is enforced at the edge before requests reach the application origin. That directly addresses the saturation problem with a managed, application-aware control. Network ACLs and security groups cannot inspect request rates or apply threshold logic. Shield Advanced focuses on DDoS mitigation rather than simple per-IP HTTP throttling. AWS WAF is the AWS service designed for request-level filtering and automated blocking based on request behavior, so it is the best answer here.
What should I do if I get this SAA-C03 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.