AWS Certified Security – Specialty — Question 276

A company has a website with an Amazon CloudFront HTTPS distribution an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:
✑ HTTPS needs to be enforced for all data in transit with specific ciphers.
✑ The CloudFront distribution needs to be accessible from the internet only.
Which solution will meet these requirements?

Answer options

• A. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers. Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
• B. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
• C. Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges.
• D. Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTP listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect to Amazon S3. Create a bucket policy to allow access from these proxies only.

Correct answer: A

Explanation

Option A is correct because using the aws:securetransport key in the S3 bucket policy enforces HTTPS, and combining it with an Origin Access Identity (OAI) secures the static content from direct public access. For the dynamic content, configuring an HTTPS listener with a custom security policy on the ALB ensures the use of approved ciphers, while integrating AWS WAF with the ALB restricts incoming traffic to CloudFront IP ranges. Other options either fail to restrict direct internet access to the ALB or attempt to enforce TLS cipher configurations directly on S3 bucket policies, which is not supported.