AWS Certified Security – Specialty — Question 215

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application Load
Balancer (ALB). The ALB is terminating TLS and balancing load across ECS service tasks. A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that it is never accessible directly.
How should the security engineer build the MOST secure solution?

Answer options

• A. Add an origin custom header. Set the viewer protocol policy to HTTP and HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header.
• B. Add an origin custom header. Set the viewer protocol policy to HTTPS only. Set the origin protocol policy to match viewer. Update the application to validate the CloudFront custom header.
• C. Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTP only. Update the application to validate the CloudFront custom header.
• D. Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header.

Correct answer: D

Explanation

Option D is the most secure because it ensures that all traffic from the viewer to CloudFront is redirected to HTTPS, and the origin is also secured to accept only HTTPS connections. This prevents any unencrypted traffic and ensures that only requests with the valid custom header from CloudFront reach the application. The other options either allow HTTP traffic or do not enforce HTTPS for the origin, which can expose the application to potential vulnerabilities.