AWS Certified Security – Specialty (SCS-C02) — Question 204

A company is using an Amazon CloudFront distribution to deliver content from two origins. One origin is a dynamic application that is hosted on Amazon EC2 instances. The other origin is an Amazon S3 bucket for static assets.

A security analysis shows that HTTPS responses from the application do not comply with a security requirement to provide an X-Frame-Options HTTP header to prevent frame-related cross-site scripting attacks. A security engineer must make the full stack compliant by adding the missing HTTP header to the responses.

Which solution will meet these requirements?

Answer options

• A. Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront origin response event.
• B. Create a Lambda@Edge function. Include code to add the X-Frame-Options header to the response. Configure the function to run in response to the CloudFront viewer request event.
• C. Update the CloudFront distribution by adding X-Frame-Options to custom headers in the origin settings.
• D. Customize the EC2 hosted application to add the X-Frame-Options header to the responses that are returned to CloudFront.

Correct answer: A

Explanation

The correct answer is A, as creating a Lambda@Edge function that triggers on the CloudFront origin response event allows the addition of the X-Frame-Options header directly to the responses from EC2. Options B and D do not effectively address the requirement for responses from the CloudFront distribution, while C does not provide a means to add the header dynamically for the EC2 application responses.