Utilize AWS Secrets Manager to store a random string. Automate secret rotation with an AWS Lambda function. Configure CloudFront to add this random string as a custom HTTP header for origin requests. Implement an AWS WAF web ACL rule that includes a string match rule for the custom header. Associate this web ACL with the ALB.

Implement an AWS WAF web ACL rule that specifies an IP match condition for the CloudFront service IP address ranges. Associate this web ACL with the ALB. Subsequently, relocate the ALB to the three private subnets.

Employ AWS Systems Manager Parameter Store to hold a random string. Set up automatic rotation for this string in Parameter Store. Configure CloudFront to include the random string as a custom HTTP header for origin requests. On the ALB, inspect the value of the custom HTTP header and block access accordingly.

Set up AWS Shield Advanced. Create a security group policy that permits connections from the CloudFront service IP address ranges. Incorporate this policy into AWS Shield Advanced and attach it to the ALB.