One question in the Quiz for Infrastucture Security asks for best way to block any request to access publicly available files in your S3 bucket which comes from the following IP address range: 126.96.36.199/24. The correct answer given is to use AWS WAF Web ACL, but it’s also possible to do this using a bucket policy, see https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-3. Thus two answers are correct here, is there an error, or is there a reason why using WAF is the only correct option?
Thanks yes I think you’re right, I’m going to update that question
I think the answer’s actually wrong as it doesn’t mention using Cloudfront over S3 and you cannot use AWS WAF to protect an S3 bucket directly. The only correct answer is with a bucket policy.
Faye, What is the correct answer , or the correct question? Please let us know when you make updates
Question still says choose two even through three answers are valid and expected.
Please also take note of the following article when updating the questions:
"Note: It’s a best practice not to use the aws:SourceIp condition key."
"You can use the aws:SourceIp global condition key in the condition element of an IAM policy to restrict API calls from specific IP addresses, but this denies access to AWS services such as AWS CloudFormation that make calls on your behalf."