AWS Certified DevOps Engineer – Professional — Question 175

A company has a web application that users access over the internet. The web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are in an Auto Scaling group. The ALB is associated with a security group that allows traffic from the internet. The web application has a local cache on each EC2 instance.

During a recent security incident requests overloaded the web application and caused an outage for the company's customers. In response to the incident, the company added Amazon CloudFront in front of the web application. All customers now access the web application through CloudFront.

A DevOps engineer must implement a solution that routes all requests through CloudFront. The solution also must give the company the ability to block requests based on the content of the requests, such as header or body information.

Which combination of steps should the DevOps engineer take to meet these requirements? (Choose two.)

Answer options

• A. Create an AWS WAF web ACL. Associate the web ACL with the CloudFront distribution. Create rules for each type of traffic that the company wants to block.
• B. Create new ALB listener rules on the existing listeners. Configure the new rules to allow or reject incoming traffic based on whether the host header matches the CloudFront fully qualified domain name (FQDN).
• C. Create an AWS PrivateLink endpoint service for the ALB Configure the endpoint service to allow requests from CloudFront. Update the web application origin in CloudFront to use the newly created endpoint service's DNS name.
• D. Create a CloudFront origin access identity (OAI) for the web application. Update the web application origin in CloudFront to use the OAI Update the ALB rules to check for the OAI and return an HTTP 403 error if the OAI header is not present.
• E. Create an AWS Firewall Manager security policy. Attach the security policy to the CloudFront distribution. Use the security policy to attach AWS WAF rule groups for each type of traffic that the company wants to block.

Correct answer: A, B

Explanation

The correct answer is A and B. Creating an AWS WAF web ACL and associating it with the CloudFront distribution allows the company to block specific types of requests based on defined rules. Additionally, adding ALB listener rules enables the filtering of incoming traffic based on the host header, ensuring that only requests from the intended source are processed. Options C, D, and E do not adequately address the requirement to block requests based on content.