AWS Certified SysOps Administrator – Associate — Question 124

A company’s web application is available through an Amazon CloudFront distribution and directly through an internet-facing Application Load Balancer (ALB). A SysOps administrator must make the application accessible only through the CloudFront distribution and not directly through the ALB. The SysOps administrator must make this change without changing the application code.

Which solution will meet these requirements?

Answer options

• A. Modify the ALB type to internal. Set the distribution’s origin to the internal ALB domain name.
• B. Create a Lambda@Edge function. Configure the function to compare a custom header value in the request with a stored password and to forward the request to the origin in case of a match. Associate the function with the distribution.
• C. Replace the ALB with a new internal ALB. Set the distribution’s origin to the internal ALB domain name. Add a custom HTTP header to the origin settings for the distribution. In the ALB listener, add a rule to forward requests that contain the matching custom header and the header’s value. Add a default rule to return a fixed response code of 403.
• D. Add a custom HTTP header to the origin settings for the distribution. In the ALB listener, add a rule to forward requests that contain the matching custom header and the header’s value. Add a default rule to return a fixed response code of 403.

Correct answer: D

Explanation

Option D is correct because it effectively restricts access to the application by requiring a specific custom HTTP header that only CloudFront would provide. The other options either involve unnecessary changes to the ALB type or setup or do not adequately restrict access since they don't ensure that only CloudFront can reach the ALB.