AWS Certified Solutions Architect – Professional (SAP-C02) — Question 164

A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.

The company needs a solution that will prevent internet traffic from directly accessing the ALB.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
• B. Associate the existing web ACL with the ALB.
• C. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
• D. Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.

Correct answer: C

Explanation

Option C is correct because adding a security group rule to the ALB that permits traffic from the AWS managed prefix list for CloudFront effectively ensures only CloudFront can access the ALB, reducing operational overhead. Options A and B involve creating or associating new web ACLs, which do not directly prevent internet traffic and add complexity. Option D is less efficient because it requires maintaining a list of CloudFront IP addresses that may change over time.