ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 162 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 162
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.

The company needs a solution that will prevent internet traffic from directly accessing the ALB.

Which solution will meet these requirements with the LEAST operational overhead?

  • A. Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
  • B. Associate the existing web ACL with the ALB.
  • C. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
  • D. Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by jojom19980 at Feb. 4, 2023, 11:11 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
masssa
Highly Voted 1 year, 8 months ago
Selected Answer: C
https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html AWS managed prefix list is more recommended.
upvoted 12 times
...
rbm2023
Highly Voted 1 year, 5 months ago
Selected Answer: C
https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html If your origin is hosted on Amazon and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront's origin-facing servers, preventing any non-CloudFront traffic from reaching your origin , imagine that your origin is an Amazon EC2 instance in the Europe (London) Region (eu-west-2). If the instance is in a VPC, you can create a security group rule that allows inbound HTTPS access from the CloudFront managed prefix list. This allows all of CloudFront's global origin-facing servers to reach the instance. If you remove all other inbound rules from the security group, you prevent any non-CloudFront traffic from reaching the instance
upvoted 5 times
...
career360guru
Most Recent 10 months, 1 week ago
Selected Answer: C
Option C
upvoted 1 times
...
career360guru
11 months, 1 week ago
Selected Answer: C
Option C
upvoted 1 times
...
NikkyDicky
1 year, 3 months ago
Selected Answer: C
C for sure
upvoted 1 times
...
mfsec
1 year, 7 months ago
C. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
upvoted 2 times
...
ExamTopix01
1 year, 8 months ago
C https://aws.amazon.com/blogs/news/limit-access-to-your-origins-using-the-aws-managed-prefix-list-for-amazon-cloudfront/
upvoted 2 times
...
jojom19980
1 year, 8 months ago
Selected Answer: C
https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago