Answer: Add an inbound rule to the ALB's security group to allow the AWS managed prefix list for CloudFront.

To ensure that all inbound traffic to the Application Load Balancer (ALB) comes from Amazon CloudFront at the network layer, the most operationally efficient solution is to use security groups associated with the ALB. Security groups act as a virtual firewall for your instance to control inbound and outbound traffic. By adding an inbound rule to the ALB's security group that allows traffic from the AWS managed prefix list for CloudFront, you effectively restrict access to the ALB to only those requests that originate from CloudFront. This method is operationally efficient because it leverages AWS managed resources (the prefix list) and does not require additional infrastructure or complex configurations. Option A is correct because it directly addresses the requirement at the network layer using security groups, which is a best practice for controlling access to AWS resources. Options B, C, and D do not meet the requirement as efficiently or directly as option A. Option B involves network ACLs, which are stateless and less efficient for this purpose. Option C involves application layer modifications, which do not meet the requirement of implementing the solution at the network layer. Option D, while it could technically meet the requirement, introduces unnecessary complexity by involving AWS WAF and Lambda, which are not required to achieve the goal in the most operationally efficient way.

Author: LeetQuiz Editorial Team