You deploy a Web ACL with an AWS WAF rate-based rule intended to limit abusive traffic to your API. After the deployment, attackers still reach the backend service. ALB access logs show requests arrive at the ALB, but WAF logs indicate the Web ACL is not evaluating those requests.
Which change most likely fixes the issue?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Associate the Web ACL with the Application Load Balancer resource ARN so WAF evaluates requests sent to that ALB.
For an ALB, the Web ACL must be associated with the load balancer resource itself. If it is not attached to the ALB, WAF will not inspect those requests.
Add a security group rule that drops inbound traffic from the attacker IP range at the instances' ENIs.
Security groups can block traffic, but this does not fix the fact that WAF is not evaluating the requests.
Create a target group stickiness policy so WAF can count requests consistently per client IP.
Stickiness affects load balancing behavior, not whether WAF evaluates requests.
Enable AWS Shield Advanced but keep the Web ACL unattached because Shield automatically applies rate limiting.
Shield protects against certain DDoS conditions, but it does not replace WAF association or WAF rate-based rules.
Common exam trap
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Technical deep dive
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
Static NAT maps one inside address to one outside address.
The correct answer is: Associate the Web ACL with the Application Load Balancer resource ARN so WAF evaluates requests sent to that ALB. — AWS WAF on an Application Load Balancer is associated with the ALB resource itself. If the Web ACL is not attached to the ALB, WAF will not inspect inbound requests and the rate-based rule will never trigger. Associating the Web ACL with the correct ALB resource ARN ensures WAF evaluates the traffic before it reaches the targets. Why others are wrong: Option B may block some traffic at the network layer, but it does not solve the missing WAF evaluation. Option C changes load-balancing behavior, not WAF inspection. Option D confuses DDoS protection with WAF policy enforcement; Shield does not automatically apply WAF rate limiting.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.