AWS Certified Security – Specialty — Question 356

A company wants to implement a content delivery network for an upcoming product launch. The origin for distribution is an object store outside of AWS and requires the Authorization header from the request to be passed to it.

How can a security engineer meet this requirement in the LEAST amount of time?

Answer options

• A. Migrate the objects to Amazon S3. Create a new AWS Global Accelerator accelerator that has a listener on port 443 and an endpoint group that points to the origin distribution.
• B. Create a new Amazon CloudFront distribution. Create a new CloudFront custom header for X-Amz-Authorization. Attach the header to the distribution.
• C. Create a new Amazon CloudFront distribution. Create a new CloudFront cache policy with a header whitelist for the Authorization header. Attach the policy to the distribution.
• D. Migrate the objects to Amazon S3. Create a new Amazon CloudFront distribution. Create a new CloudFront cache policy with a header whitelist for the Authorization header. Attach the policy to the distribution.

Correct answer: C

Explanation

Creating an Amazon CloudFront distribution with a custom origin avoids the time-consuming process of migrating data to Amazon S3. By configuring a CloudFront cache policy to whitelist and forward the Authorization header, the custom origin can successfully receive the required credentials. Migrating objects as suggested in options A and D is unnecessary, while option B fails to correctly pass the client's original Authorization header.