Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 674 discussion

A company is launching a web-based application in multiple regions around the world. The application consists of both static content stored in a private Amazon
S3 bucket and dynamic content hosted in Amazon ECS containers content behind an Application Load Balancer (ALB). The company requires that the static and dynamic application content be accessible through Amazon CloudFront only.
Which combination of steps should a solutions architect recommend to restrict direct content access to CloudFront? (Choose three.)

  • A. Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the ALB.
  • B. Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the CloudFront distribution.
  • C. Configure CloudFront to add a custom header to origin requests.
  • D. Configure the ALB to add a custom header to HTTP requests.
  • E. Update the S3 bucket ACL to allow access from the CloudFront distribution only.
  • F. Create a CloudFront Origin Access Identity (OAI) and add it to the CloudFront distribution. Update the S3 bucket policy to allow access to the OAI only.
Show Suggested Answer Hide Answer
Suggested Answer: ACF 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
gookseang
Highly Voted 3 years, 1 month ago
A.C.F for sure
upvoted 37 times
petebear55
3 years, 1 month ago
Your answer a is wrong !!! .. If your going to come out with wild statements like this then back up your answers .. its B https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html
upvoted 1 times
petebear55
3 years, 1 month ago
Repalce A with B
upvoted 2 times
MrCarter
3 years ago
no mate nobody believes you
upvoted 6 times
...
...
tvs
3 years ago
Pete read this https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/#:~:text=In%20this%20blog%20post%2C%20you,it%20sends%20to%20your%20origin.
upvoted 4 times
Kopa
2 years, 12 months ago
good explanation
upvoted 1 times
...
MrCarter
3 years ago
ANSWER IS OBVIOUSLY A,C,F Straight out of Jon Bonso's exams
upvoted 5 times
...
...
shammous
3 years ago
He is right, ... pete Red Herring.
upvoted 3 times
...
...
...
Bulti
Highly Voted 3 years, 1 month ago
To ensure all requests are coming from CloudFront, the combination of steps should be C, A, F. C will add the custom header. A will detect the presence of custom header using Web ACL rules in the WAF around ALB and then F will ensure that all request to access S3 buckets are coming from Cloudfront using the OAI.
upvoted 30 times
shammous
3 years ago
Great job Bulti, as always. Thank you for taking the time to explain your choices. I suggest everybody else do the same instead of just throwing their answers...
upvoted 8 times
AkaAka4
2 years, 11 months ago
Indeed, rookies like me really appreciate you guys' information :D
upvoted 1 times
...
...
01037
3 years ago
Agree. B and C are contradiction to each other. If CloudFront adds the custom header, how could WAF in front of CloudFront validate the presence of the custom header.
upvoted 6 times
...
...
onepunchfinish
Most Recent 6 months ago
ACF A: By using custom headers, you can further restrict access to your content so that users can access it only through CloudFront, not directly. In this case an AWS WAF web ACL can be used to filter the requests and validate the presence of the custom header. F: The OAI is a special CloudFront user that is associated with the distribution. After creating an OAI, the S3 bucket permissions can then be modified so that CloudFront can use the OAI to access the files in your bucket and serve them to your users (and also restrict any other access)
upvoted 1 times
...
Jesuisleon
1 year, 5 months ago
Selected Answer: ACF
A,C,F are correct answers. The data flow is cloudfront --> ALB. You want to restrict users directly access to ALB. So ALB will check custom Header which only cloudfront can add. By this, data flow not from cloudfront is without custom header and at last denied by alb.
upvoted 1 times
...
hilft
2 years, 3 months ago
ACF I saw the same one in Jon Bonso's exam. MrCarter got it too
upvoted 2 times
...
aandc
2 years, 4 months ago
Selected Answer: ACF
deny direct access to S3 and ALB
upvoted 2 times
...
KennethTam
2 years, 7 months ago
Selected Answer: ACF
ACF, you need to deny direct access to origin(ALB), but not cloudfront.
upvoted 3 times
...
Ni_yot
2 years, 8 months ago
Agree with ACF. CF is used to add custom http headers to request.
upvoted 1 times
...
HellGate
2 years, 9 months ago
My answer is B C F. To deliver contents through only CloudFront, we need associate the Web ACL with CloudFront, not ALB. ALB is for ECS here and for OAI, doesn’t need ALB. https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/?nc1=h_ls
upvoted 1 times
...
pititcu667
2 years, 10 months ago
Selected Answer: ACF
i chose acf
upvoted 1 times
...
Binoj_1985
2 years, 11 months ago
Selected Answer: BCF
BCF right? Since static and dynamic application material must be available through Amazon CloudFront.
upvoted 1 times
Binoj_1985
2 years, 11 months ago
ACF - Since validate rule to ALB
upvoted 1 times
...
...
AzureDP900
2 years, 11 months ago
A,C,F Is right
upvoted 1 times
...
andylogan
3 years ago
It's C A F
upvoted 2 times
...
DerekKey
3 years ago
A/C/F: very similar configuration is used by us in an environment that serves over 1 mln requests per second. The only difference is in usage of AWF. This answer is a waste of money. ALB can check header in incoming traffic. You don't need WAF to do it. CF sets custom header with a value ALB check if custom header exists with this value S3 uses CF OAI
upvoted 4 times
...
tgv
3 years ago
AAA CCC FFF ---
upvoted 2 times
...
blackgamer
3 years ago
CAF for me.
upvoted 2 times
...
mericov
3 years ago
ACF https://blogs.halodoc.io/implementation-of-custom-header-to-origin-requests/
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...