Answer-first summary for fast verification
Answer: Utilize AWS Secrets Manager to store a random string. Automate secret rotation with an AWS Lambda function. Configure CloudFront to add this random string as a custom HTTP header for origin requests. Implement an AWS WAF web ACL rule that includes a string match rule for the custom header. Associate this web ACL with the ALB.
Option A is the correct answer. This approach uses AWS Secrets Manager to store a random string and AWS Lambda for automatic secret rotation. CloudFront is configured to inject this random string as a custom HTTP header for the origin request, and an AWS WAF web ACL rule with a string match rule for the custom header is created. This ACL is then associated with the ALB, ensuring that only requests with the correct custom header can get through, thereby enhancing the origin's security. This method effectively secures the ALB origin from unauthorized access.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A medical company operates a REST API on Amazon EC2 instances within an Auto Scaling group, which are situated behind an Application Load Balancer (ALB). The ALB is deployed in three public subnets, while the EC2 instances are located in three private subnets. Additionally, the company has established an Amazon CloudFront distribution with the ALB as its sole origin. What measures should a solutions architect propose to bolster the security of the origin?
A
Utilize AWS Secrets Manager to store a random string. Automate secret rotation with an AWS Lambda function. Configure CloudFront to add this random string as a custom HTTP header for origin requests. Implement an AWS WAF web ACL rule that includes a string match rule for the custom header. Associate this web ACL with the ALB.
B
Implement an AWS WAF web ACL rule that specifies an IP match condition for the CloudFront service IP address ranges. Associate this web ACL with the ALB. Subsequently, relocate the ALB to the three private subnets.
C
Employ AWS Systems Manager Parameter Store to hold a random string. Set up automatic rotation for this string in Parameter Store. Configure CloudFront to include the random string as a custom HTTP header for origin requests. On the ALB, inspect the value of the custom HTTP header and block access accordingly.
D
Set up AWS Shield Advanced. Create a security group policy that permits connections from the CloudFront service IP address ranges. Incorporate this policy into AWS Shield Advanced and attach it to the ALB.