Amazon Web Services SAA-C03 Exam With Confidence Using Practice Dumps

Why Option B is Correct:

AWS WAF: Provides a simple way to create geographic match rules to block or allow traffic based on country IP ranges.

Least Operational Overhead: Attaching the WAF rule to the ALB ensures centralized control without modifying ACLs or instance firewalls.

Why Other Options Are Not Ideal:

Option A: Network ACLs operate at the subnet level and can become complex to manage for dynamic or evolving IP ranges.

Option C: Managing IP-based rules in security groups and ACLs lacks scalability and does not provide country-based filtering.

Option D: Configuring host-based firewalls increases operational overhead and does not leverage AWS-managed solutions.

AWS References:

AWS WAF Geomatch:AWS Documentation - WAF Geomatch

AWS Organizations: AWS Organizations allows you to create multiple AWS accounts and manage them centrally. You can organize accounts into organizational units (OUs) and apply policies to these units.

Organizational Units (OUs):

Create separate OUs for each department: finance, data analytics, and development.

Place the respective AWS accounts for each department into their corresponding OUs.

Service Control Policies (SCPs):

SCPs are policies that can restrict which AWS services and actions are available to accounts in an OU.

Create SCPs to define which services each department can use and attach these policies to the appropriate OUs.

SCPs apply to all IAM users, groups, and roles within the accounts in the OU, providing centralized control over service usage.

Operational Efficiency: Using AWS Organizations and SCPs provides a scalable and centralized way to manage permissions across multiple accounts with minimal operational overhead.

Amazon S3 Intelligent-Tiering is designed for data with unknown or changing access patterns. It automatically moves data between frequent and infrequent access tiers based on usage. This tier offers immediate access to all objects, regardless of which tier they are stored in, while optimizing storage costs. S3 Intelligent-Tiering also provides the same high durability, availability, and security as other S3 storage classes and supports access from external resources using standard S3 APIs. Lifecycle policies and Glacier classes are more suitable for archival when infrequent access is predictable, but retrieval from Glacier classes is not immediate and incurs extra charges and delays.

Reference Extract from AWS Documentation / Study Guide:

" S3 Intelligent-Tiering is designed to optimize costs by automatically moving data between two access tiers when access patterns change. Data is always available and immediately accessible, making it ideal for unknown or unpredictable access patterns. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 Storage Classes section.