ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 674 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 674
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is launching a web-based application in multiple regions around the world. The application consists of both static content stored in a private Amazon
S3 bucket and dynamic content hosted in Amazon ECS containers content behind an Application Load Balancer (ALB). The company requires that the static and dynamic application content be accessible through Amazon CloudFront only.
Which combination of steps should a solutions architect recommend to restrict direct content access to CloudFront? (Choose three.)

  • A. Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the ALB.
  • B. Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the CloudFront distribution.
  • C. Configure CloudFront to add a custom header to origin requests.
  • D. Configure the ALB to add a custom header to HTTP requests.
  • E. Update the S3 bucket ACL to allow access from the CloudFront distribution only.
  • F. Create a CloudFront Origin Access Identity (OAI) and add it to the CloudFront distribution. Update the S3 bucket policy to allow access to the OAI only.
Show Suggested Answer Hide Answer
Suggested Answer: ACF 🗳️
by liono at Nov. 7, 2020, 12:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
gookseang
Highly Voted 3 years, 7 months ago
A.C.F for sure
upvoted 37 times
petebear55
3 years, 6 months ago
Your answer a is wrong !!! .. If your going to come out with wild statements like this then back up your answers .. its B https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html
upvoted 1 times
petebear55
3 years, 6 months ago
Repalce A with B
upvoted 2 times
MrCarter
3 years, 5 months ago
no mate nobody believes you
upvoted 6 times
...
...
tvs
3 years, 5 months ago
Pete read this https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/#:~:text=In%20this%20blog%20post%2C%20you,it%20sends%20to%20your%20origin.
upvoted 5 times
Kopa
3 years, 5 months ago
good explanation
upvoted 1 times
...
MrCarter
3 years, 5 months ago
ANSWER IS OBVIOUSLY A,C,F Straight out of Jon Bonso's exams
upvoted 5 times
...
...
shammous
3 years, 6 months ago
He is right, ... pete Red Herring.
upvoted 3 times
...
Load full discussion...
...
...
Bulti
Highly Voted 3 years, 6 months ago
To ensure all requests are coming from CloudFront, the combination of steps should be C, A, F. C will add the custom header. A will detect the presence of custom header using Web ACL rules in the WAF around ALB and then F will ensure that all request to access S3 buckets are coming from Cloudfront using the OAI.
upvoted 30 times
shammous
3 years, 6 months ago
Great job Bulti, as always. Thank you for taking the time to explain your choices. I suggest everybody else do the same instead of just throwing their answers...
upvoted 8 times
AkaAka4
3 years, 4 months ago
Indeed, rookies like me really appreciate you guys' information :D
upvoted 1 times
...
...
01037
3 years, 6 months ago
Agree. B and C are contradiction to each other. If CloudFront adds the custom header, how could WAF in front of CloudFront validate the presence of the custom header.
upvoted 6 times
...
...
onepunchfinish
Most Recent 11 months, 2 weeks ago
ACF A: By using custom headers, you can further restrict access to your content so that users can access it only through CloudFront, not directly. In this case an AWS WAF web ACL can be used to filter the requests and validate the presence of the custom header. F: The OAI is a special CloudFront user that is associated with the distribution. After creating an OAI, the S3 bucket permissions can then be modified so that CloudFront can use the OAI to access the files in your bucket and serve them to your users (and also restrict any other access)
upvoted 1 times
...
Jesuisleon
1 year, 11 months ago
Selected Answer: ACF
A,C,F are correct answers. The data flow is cloudfront --> ALB. You want to restrict users directly access to ALB. So ALB will check custom Header which only cloudfront can add. By this, data flow not from cloudfront is without custom header and at last denied by alb.
upvoted 1 times
...
hilft
2 years, 9 months ago
ACF I saw the same one in Jon Bonso's exam. MrCarter got it too
upvoted 2 times
...
aandc
2 years, 9 months ago
Selected Answer: ACF
deny direct access to S3 and ALB
upvoted 2 times
...
KennethTam
3 years ago
Selected Answer: ACF
ACF, you need to deny direct access to origin(ALB), but not cloudfront.
upvoted 3 times
...
Ni_yot
3 years, 1 month ago
Agree with ACF. CF is used to add custom http headers to request.
upvoted 1 times
...
HellGate
3 years, 2 months ago
My answer is B C F. To deliver contents through only CloudFront, we need associate the Web ACL with CloudFront, not ALB. ALB is for ECS here and for OAI, doesn’t need ALB. https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/?nc1=h_ls
upvoted 1 times
...
pititcu667
3 years, 3 months ago
Selected Answer: ACF
i chose acf
upvoted 1 times
...
Binoj_1985
3 years, 4 months ago
Selected Answer: BCF
BCF right? Since static and dynamic application material must be available through Amazon CloudFront.
upvoted 1 times
Binoj_1985
3 years, 4 months ago
ACF - Since validate rule to ALB
upvoted 1 times
...
...
AzureDP900
3 years, 4 months ago
A,C,F Is right
upvoted 1 times
...
andylogan
3 years, 5 months ago
It's C A F
upvoted 2 times
...
DerekKey
3 years, 5 months ago
A/C/F: very similar configuration is used by us in an environment that serves over 1 mln requests per second. The only difference is in usage of AWF. This answer is a waste of money. ALB can check header in incoming traffic. You don't need WAF to do it. CF sets custom header with a value ALB check if custom header exists with this value S3 uses CF OAI
upvoted 4 times
...
tgv
3 years, 5 months ago
AAA CCC FFF ---
upvoted 2 times
...
blackgamer
3 years, 5 months ago
CAF for me.
upvoted 2 times
...
mericov
3 years, 5 months ago
ACF https://blogs.halodoc.io/implementation-of-custom-header-to-origin-requests/
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago