A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?
A) Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
B) Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.
C) Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
D) Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.
Correct Answer:
Verified
Q20: An organization runs a consumer-facing website
Q21: You have multiple Amazon Elastic Compute Cloud
Q22: Your organization requires strict adherence to a
Q23: An organization launched an IPv6-only web portal
Q24: You operate a production VPC with both
Q26: You deploy an Amazon EC2 instance that
Q27: You have a global corporate network with
Q28: You deploy your Internet-facing application is the
Q29: You are building an application that provides
Q30: Your security team implements a host-based firewall
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents