AWS Certified Solutions Architect – Professional (SAP-C02) — Question 323

A company recently migrated a web application from an on-premises data center to the AWS Cloud. The web application infrastructure consists of an Amazon CloudFront distribution that routes to an Application Load Balancer (ALB), with Amazon Elastic Container Service (Amazon ECS) to process requests. A recent security audit revealed that the web application is accessible by using both CloudFront and ALB endpoints. However, the company requires that the web application must be accessible only by using the CloudFront endpoint.

Which solution will meet this requirement with the LEAST amount of effort?

Answer options

• A. Create a new security group and attach it to the CloudFront distribution. Update the ALB security group ingress to allow access only from the CloudFront security group.
• B. Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list.
• C. Create a com.amazonaws.region.elasticloadbalancing VPC interface endpoint for Elastic Load Balancing. Update the ALB scheme from internet-facing to internal.
• D. Extract CloudFront IPs from the AWS provided ip-ranges.json document. Update ALB security group ingress to allow access only from CloudFront IPs.

Correct answer: B

Explanation

AWS provides a managed prefix list (com.amazonaws.global.cloudfront.origin-facing) containing all valid CloudFront IP ranges, which is automatically kept up-to-date by AWS. Restricting the ALB security group's inbound traffic to this prefix list is the most efficient and low-maintenance way to ensure the ALB only accepts traffic originating from CloudFront. Other solutions like manually parsing the ip-ranges.json file require custom automation to maintain, while CloudFront does not natively support security groups to be referenced by ALB security groups.