ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 427 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 427
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A medical company is running a REST API on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB runs in three public subnets, and the EC2 instances run in three private subnets. The company has deployed an Amazon CloudFront distribution that has the ALB as the only origin.

Which solution should a solutions architect recommend to enhance the origin security?

  • A. Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.
  • B. Create an AWS WAF web ACL rule with an IP match condition of the CloudFront service IP address ranges. Associate the web ACL with the ALMove the ALB into the three private subnets.
  • C. Store a random string in AWS Systems Manager Parameter Store. Configure Parameter Store automatic rotation for the string. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Inspect the value of the custom HTTP header, and block access in the ALB.
  • D. Configure AWS Shield Advanced Create a security group policy to allow connections from CloudFront service IP address ranges. Add the policy to AWS Shield Advanced, and attach the policy to the ALB.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by alexis123456 at Feb. 5, 2024, 10:31 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kejam
Highly Voted 1 year, 2 months ago
Selected Answer: A
In this blog post, you’ll see how to use CloudFront custom headers, AWS WAF, and AWS Secrets Manager to restrict viewer requests from accessing your CloudFront origin resources directly. https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/
upvoted 6 times
...
SIJUTHOMASP
Most Recent 4 months ago
Selected Answer: B
While secret manager can auto rotate the secrets why to use Lamda to rotate? The choice B is neater than A?
upvoted 1 times
GabrielShiao
2 months, 3 weeks ago
B is not correct. Moving ALB to private subnets makes the Cloudfront traffic unreachable.
upvoted 2 times
...
...
AzureDP900
5 months, 2 weeks ago
Option A is right Store a random string in Secrets Manager: This provides a secure way to store sensitive data, such as a token or secret key. Create an AWS Lambda function for automatic secret rotation: This ensures that the secret is regularly rotated and updated to prevent unauthorized access. Configure CloudFront to inject the random string as a custom HTTP header for the origin request: This adds an additional layer of protection by requiring the ALB to verify the custom header before allowing access. Create an AWS WAF web ACL rule with a string match rule for the custom header: This checks that the custom header matches the expected value, preventing unauthorized access if it doesn't. Associate the web ACL with the ALB: This ensures that the security rules are enforced at the edge of the network, protecting against malicious traffic. The other options don't provide sufficient protection:
upvoted 1 times
...
Win007
11 months, 2 weeks ago
D is the correct Answer
upvoted 1 times
trungtd
10 months, 2 weeks ago
you cannot directly add a security group to AWS Shield Advanced. BTW, what is security group policy?
upvoted 1 times
...
...
career360guru
1 year, 1 month ago
Selected Answer: A
Option A
upvoted 1 times
...
TheCloudGuruu
1 year, 2 months ago
Selected Answer: A
Answer is A
upvoted 1 times
...
HunkyBunky
1 year, 2 months ago
Selected Answer: A
A - is a proper answer https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/
upvoted 2 times
...
alexis123456
1 year, 2 months ago
Correct Answer is A
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago