A company has deployed its corporate website in a VPC on two Amazon EC2 instances behind…

Question

A company has deployed its corporate website in a VPC on two Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are deployed in private subnets. The ALB is in a public subnet. A route to an internet gateway exists in the public subnet route table. The company has deployed an Amazon CloudFront distribution with the ALB as the origin. The company's security team recently identified that malicious traffic is accessing the ALB directly. The company must deploy security controls to prevent common attack techniques, including cross-site scripting, and to protect against volumetric denials of service. Which strategy should a solutions architect recommend to meet these requirements?

Accepted Answer

Correct answer: C. C. Associate an AWS WAF web ACL with the CloudFront distribution. Configure CloudFront to add a custom header to the requests that are sent to the ALB. Configure advanced routing on the ALB to only forward requests that include the custom header that is set by CloudFront. — Associating AWS WAF with CloudFront provides edge protection against common web attacks and volumetric DDoS attempts. To prevent users from bypassing CloudFront and accessing the ALB directly, CloudFront must inject a secret custom header into requests sent to the origin, which the ALB then validates using advanced routing rules. Other options are incorrect because Origin Access Identities (OAI) are designed for Amazon S3 origins rather than ALBs, and AWS WAF does not handle the insertion of custom headers for this integration pattern.

AWS Certified Solutions Architect – Professional — Question 750

Answer options

Correct answer: C

Explanation