ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 332 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 332
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company recently migrated a web application from an on-premises data center to the AWS Cloud. The web application infrastructure consists of an Amazon CloudFront distribution that routes to an Application Load Balancer (ALB), with Amazon Elastic Container Service (Amazon ECS) to process requests. A recent security audit revealed that the web application is accessible by using both CloudFront and ALB endpoints. However, the company requires that the web application must be accessible only by using the CloudFront endpoint.

Which solution will meet this requirement with the LEAST amount of effort?

  • A. Create a new security group and attach it to the CloudFront distribution. Update the ALB security group ingress to allow access only from the CloudFront security group.
  • B. Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list.
  • C. Create a com.amazonaws.region.elasticloadbalancing VPC interface endpoint for Elastic Load Balancing. Update the ALB scheme from internet-facing to internal.
  • D. Extract CloudFront IPs from the AWS provided ip-ranges.json document. Update ALB security group ingress to allow access only from CloudFront IPs.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by devalenzuela86 at Nov. 21, 2023, 9:30 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
HunkyBunky
Highly Voted 1 year, 5 months ago
Selected Answer: B
Definitely - B, becase you can't assign securityGroup on Cloudfront. Also, security group can have only 60 rules, so you can't add ALL CloudFront IPs into it, so prefix list
upvoted 6 times
...
tgv
Most Recent 8 months, 2 weeks ago
Selected Answer: B
B for sure
upvoted 1 times
...
pangchn
1 year, 1 month ago
Selected Answer: B
https://aws.amazon.com/blogs/networking-and-content-delivery/limit-access-to-your-origins-using-the-aws-managed-prefix-list-for-amazon-cloudfront/
upvoted 1 times
...
LazyAutonomy
1 year, 2 months ago
Selected Answer: B
B, but this is why security architects > solution architects. Any cloudfront distribution, belonging to any account in any org will still have direct access the origin.
upvoted 1 times
...
career360guru
1 year, 3 months ago
Selected Answer: B
Option B
upvoted 1 times
...
zhdetn
1 year, 4 months ago
Selected Answer: B
https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/?nc1=h_ls
upvoted 4 times
...
shaaam80
1 year, 4 months ago
Selected Answer: B
Allow ingress access to ALB SG only from CloudFront prefix list. Answer - B
upvoted 4 times
...
salazar35
1 year, 5 months ago
Selected Answer: B
B is right
upvoted 1 times
...
devalenzuela86
1 year, 5 months ago
Selected Answer: B
B for sure
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago