AWS Certified Solutions Architect – Professional (SAP-C02) — Question 412
A company needs to improve the security of its web-based application on AWS. The application uses Amazon CloudFront with two custom origins. The first custom origin routes requests to an Amazon API Gateway HTTP API. The second custom origin routes traffic to an Application Load Balancer (ALB). The application integrates with an OpenID Connect (OIDC) identity provider (IdP) for user management.
A security audit shows that a JSON Web Token (JWT) authorizer provides access to the API. The security audit also shows that the ALB accepts requests from unauthenticated users.
A solutions architect must design a solution to ensure that all backend services respond to only authenticated users.
Which solution will meet this requirement?
Answer options
- A. Configure the ALB to enforce authentication and authorization by integrating the ALB with the IdP. Allow only authenticated users to access the backend services.
- B. Modify the CloudFront configuration to use signed URLs. Implement a permissive signing policy that allows any request to access the backend services.
- C. Create an AWS WAF web ACL that filters out unauthenticated requests at the ALB level. Allow only authenticated traffic to reach the backend services.
- D. Enable AWS CloudTrail to log all requests that come to the ALB. Create an AWS Lambda function to analyze the logs and block any requests that come from unauthenticated users.
Correct answer: A
Explanation
Integrating the Application Load Balancer (ALB) directly with an OpenID Connect (OIDC) compliant identity provider allows the ALB to securely authenticate users before routing their traffic to the target group. Using CloudFront signed URLs with a permissive policy does not secure the ALB itself, and AWS WAF cannot natively handle OIDC authentication flows directly. Implementing a reactive CloudTrail and Lambda-based log analysis solution is highly inefficient, latent, and does not provide real-time prevention of unauthorized access.