AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 38

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

Answer options

• A. Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
• B. Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.
• C. Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
• D. Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.

Correct answer: A

Explanation

Option A is the correct answer because using an IP whitelist in AWS WAF restricts access to the application only to known client IPs, providing a robust layer of security. Options B and C do not completely isolate the origin from external access, as they rely on headers or traffic validation that could potentially be spoofed. Option D, while it provides some level of protection, does not specifically enforce access only to known IPs, which is crucial in this scenario.