ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 965 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 965
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company has deployed its corporate website in a VPC on two Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are deployed in private subnets. The ALB is in a public subnet. A route to an internet gateway exists in the public subnet route table. The company has deployed an Amazon CloudFront distribution with the ALB as the origin.

The company's security team recently identified that malicious traffic is accessing the ALB directly. The company must deploy security controls to prevent common attack techniques, including cross-site scripting, and to protect against volumetric denials of service.

Which strategy should a solutions architect recommend to meet these requirements?

  • A. Migrate the ALB to a private subnet. Associate an AWS WAF web ACL with the ALB. Update inbound rules on the ALB security group to allow traffic on port 443 only from CloudFront IP addresses.
  • B. Associate an AWS WAF web ACL with the CloudFront distribution. Configure an origin access identity (OAI) on the ALB to drop access attempts that do not originate from CloudFront.
  • C. Associate an AWS WAF web ACL with the CloudFront distribution. Configure CloudFront to add a custom header to the requests that are sent to the ALB. Configure advanced routing on the ALB to only forward requests that include the custom header that is set by CloudFront.
  • D. Associate an AWS WAF web ACL with the CloudFront distribution. Configure AWS WAF to add a custom header to the requests that are sent to the ALB. Configure advanced routing on the ALB to only forward requests that include the custom header that is set by CloudFront.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by masetromain at Nov. 30, 2022, 1:59 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
FlyingHawk
3 months, 1 week ago
Selected Answer: C
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html To prevent users from directly accessing an Application Load Balancer and allow access only through CloudFront, complete these high-level steps: Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer. Configure the Application Load Balancer to only forward requests that contain the custom HTTP header.
upvoted 1 times
...
vn_thanhtung
1 year, 8 months ago
Selected Answer: C
https://aws.amazon.com/vi/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/
upvoted 1 times
vn_thanhtung
1 year, 8 months ago
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-action.html#:~:text=Allow%20%E2%80%93%20AWS%20WAF%20allows%20the%20request%20to%20be%20forwarded%20to%20the%20protected%20AWS%20resource%20for%20processing%20and%20response.%20This%20is%20a%20terminating%20action.%20In%20rules%20that%20you%20define%2C%20you%20can%20insert%20custom%20headers%20into%20the%20request%20before%20forwarding%20it%20to%20the%20protected%20resource.
upvoted 1 times
...
...
dev112233xx
1 year, 12 months ago
Selected Answer: D
I agree it's D https://aws.amazon.com/about-aws/whats-new/2021/03/aws-waf-adds-support-request-header-insertion/
upvoted 1 times
...
vietbui
2 years ago
Selected Answer: C
Set the custom header on CloudFront
upvoted 3 times
...
andras
2 years, 1 month ago
Selected Answer: D
AWS Shield, a DDoS protection service, is enabled by default on Amazon CloudFront and automatically protects against Network/Transport layer DDoS attacks. The automatic protection feature by AWS Shield Standard is available to all AWS customers at no additional cost. Customers can also use AWS WAF (Web Application Firewall) to protect against application layer DDoS attacks. The difference between them is that AWS WAF (Web Application Firewall) provides protection on the application layer and AWS Shield protects the infrastructure layers of the OSI model.
upvoted 1 times
...
davidy2020
2 years, 2 months ago
Option D is incorrect because it mentions configuring AWS WAF to add a custom header to the requests, but it is the CloudFront distribution that should add the custom header to the requests that are sent to the ALB, not AWS WAF. The custom header is used to identify requests that originated from CloudFront and allow them to pass through the ALB, while blocking requests that do not include the custom header. Option C is the correct answer, as it mentions configuring CloudFront to add a custom header to the requests and configuring advanced routing on the ALB to only forward requests that include the custom header that is set by CloudFront.
upvoted 2 times
...
coolt2
2 years, 2 months ago
C makes more logic ref : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
upvoted 1 times
coolt2
2 years, 2 months ago
Let me correct myself ,forget about C , both WAF and Cloudfront can add custom headers and in this case D is best see this new feature as of 2021 : https://aws.amazon.com/about-aws/whats-new/2021/03/aws-waf-adds-support-request-header-insertion/ By associating an AWS WAF web ACL with the CloudFront distribution, the company can protect against common attack techniques, including cross-site scripting and volumetric denial-of-service attacks. Additionally, by configuring AWS WAF to add a custom header to the requests sent to the ALB, the company can add an extra layer of security. The ALB can be configured to only forward requests that include the custom header, which ensures that only legitimate traffic is passed through.
upvoted 2 times
...
...
zozza2023
2 years, 2 months ago
Selected Answer: C
i go for C as there is a contradiction with D no?
upvoted 1 times
...
ccort
2 years, 3 months ago
Selected Answer: C
I believe in C over D D kind of contradicts itself, it says that WAF adds the custom header and then mentions the header set by CloudFront?
upvoted 1 times
...
Kende
2 years, 4 months ago
D: We need WAF too.
upvoted 1 times
...
Spavanko
2 years, 4 months ago
Selected Answer: D
I thinks is D, because we need to have DDoS protection with WAF (https://aws.amazon.com/premiumsupport/knowledge-center/waf-mitigate-ddos-attacks/) Solutions under C, do not provide DDoS protection.
upvoted 2 times
...
masetromain
2 years, 4 months ago
Selected Answer: C
I go with C: https://blogs.halodoc.io/implementation-of-custom-header-to-origin-requests/ https://jayendrapatil.com/aws-cloudfront-security/
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago