AWS Certified Solutions Architect – Professional (SAP-C02) — Question 421
A medical company is running a REST API on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB runs in three public subnets, and the EC2 instances run in three private subnets. The company has deployed an Amazon CloudFront distribution that has the ALB as the only origin.
Which solution should a solutions architect recommend to enhance the origin security?
Answer options
- A. Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.
- B. Create an AWS WAF web ACL rule with an IP match condition of the CloudFront service IP address ranges. Associate the web ACL with the ALMove the ALB into the three private subnets.
- C. Store a random string in AWS Systems Manager Parameter Store. Configure Parameter Store automatic rotation for the string. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Inspect the value of the custom HTTP header, and block access in the ALB.
- D. Configure AWS Shield Advanced Create a security group policy to allow connections from CloudFront service IP address ranges. Add the policy to AWS Shield Advanced, and attach the policy to the ALB.
Correct answer: A
Explanation
To ensure that the Application Load Balancer (ALB) only accepts traffic originating from CloudFront, the recommended approach is to configure CloudFront to inject a custom HTTP header containing a secret value, which is then verified by AWS WAF on the ALB. AWS Secrets Manager with a Lambda function provides a secure, automated way to rotate this secret, whereas Systems Manager Parameter Store does not natively support automatic rotation. Restricting access purely by CloudFront IP addresses is operationally difficult to maintain because CloudFront IP ranges change frequently.