AWS Certified Solutions Architect – Professional — Question 327

A company is launching a web-based application in multiple regions around the world. The application consists of both static content stored in a private Amazon
S3 bucket and dynamic content hosted in Amazon ECS containers content behind an Application Load Balancer (ALB). The company requires that the static and dynamic application content be accessible through Amazon CloudFront only.
Which combination of steps should a solutions architect recommend to restrict direct content access to CloudFront? (Choose three.)

Answer options

• A. Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the ALB.
• B. Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the CloudFront distribution.
• C. Configure CloudFront to add a custom header to origin requests.
• D. Configure the ALB to add a custom header to HTTP requests.
• E. Update the S3 bucket ACL to allow access from the CloudFront distribution only.
• F. Create a CloudFront Origin Access Identity (OAI) and add it to the CloudFront distribution. Update the S3 bucket policy to allow access to the OAI only.

Correct answer: A, C, F

Explanation

To secure the dynamic content at the ALB, CloudFront must inject a custom header (Option C) which AWS WAF, associated with the ALB, validates (Option A) to block direct requests. To secure the static content in the S3 bucket, creating a CloudFront Origin Access Identity (OAI) and updating the S3 bucket policy to only permit that OAI (Option F) ensures direct S3 access is blocked. The other options are incorrect because S3 ACLs cannot restrict access to CloudFront distributions directly, and putting the custom header validation on CloudFront or adding headers at the ALB level does not prevent direct access to the ALB.