A medical company operates a REST API on Amazon EC2 instances within an Auto Scaling group, which are situated behind an Application Load Balancer (ALB). The ALB is deployed in three public subnets, while the EC2 instances are located in three private subnets. Additionally, the company has established an Amazon CloudFront distribution with the ALB as its sole origin. What measures should a solutions architect propose to bolster the security of the origin?

Exam-Like

Utilize AWS Secrets Manager to store a random string. Automate secret rotation with an AWS Lambda function. Configure CloudFront to add this random string as a custom HTTP header for origin requests. Implement an AWS WAF web ACL rule that includes a string match rule for the custom header. Associate this web ACL with the ALB.

42.9%

Implement an AWS WAF web ACL rule that specifies an IP match condition for the CloudFront service IP address ranges. Associate this web ACL with the ALB. Subsequently, relocate the ALB to the three private subnets.

28.6%

Employ AWS Systems Manager Parameter Store to hold a random string. Set up automatic rotation for this string in Parameter Store. Configure CloudFront to include the random string as a custom HTTP header for origin requests. On the ALB, inspect the value of the custom HTTP header and block access accordingly.

14.3%

Set up AWS Shield Advanced. Create a security group policy that permits connections from the CloudFront service IP address ranges. Incorporate this policy into AWS Shield Advanced and attach it to the ALB.

14.3%

AWS Certified Solutions Architect - Professional

Get started today

Comments