🔥 3-day streak
AWS Certified Advanced Networking - Specialty136 / 141
Question 136 of 141
A company runs a public API behind Amazon CloudFront with an AWS WAF web ACL attached to the distribution. Compliance requires blocking all requests originating from countries outside of North America. After deploying a geo match rule that blocks non-US/CA/MX traffic, the security team discovers that some blocked-region clients are still reaching the origin. Investigation shows these clients route through a third-party CDN that forwards the original client IP in an X-Forwarded-For header. What is the MOST effective way to enforce the geo restriction reliably?
Reviewed for accuracy · Report an issueNext question