Q33 — AWS SAP-C02 Ch.1

Question 33 of 75 | ← Chapter 1

Q108. A company recently migrated a web application from an on-premises data center to the AwS Cloud. The web application infrastructure consists of an Amazon CloudFront distribution that routes to an Application Load Balancer (ALB), with Amazon Elastic Container Service (Amazon ECS) to process requests. A recent security audit revealed that the web application is accessible by using both CloudFront and ALB endpoints. However, the company requires that the web application must be accessible only by using the CloudFront endpoint. Which solution will meet this requirement with the LEAST amount of effort?

Correct Answer: B. Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list

Explanation

To meet the requirement of making the web application accessible only through the CloudFront endpoint with the least amount of effort, the solution architect should recommend: B. Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list. Explanation: B. Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list: The com.amazonaws.global.cloudfront.origin-facing prefix list contains the IP ranges used by CloudFront to access your origin, which includes the ALB. By allowing access only from this CloudFront managed prefix list in the ALB's security group, you ensure that the web application can only be accessed through the CloudFront endpoint. Option A is incorrect because it suggests creating a new security group and attaching it to the CloudFront distribution, then updating the ALB security group ingress to allow access only from the CloudFront security group. While this approach would work, it involves additional configuration steps. Option C is incorrect because it suggests creating a VPC interface endpoint for Elastic Load Balancing and updating the ALB scheme from internet-facing to internal. This solution is not necessary for achieving the requirement of making the web application accessible only through the CloudFront endpoint. Option D is incorrect because it suggests extracting CloudFront IPs from the AWS provided ip-ranges JSON document and updating the ALB security group ingress to allow access only from CloudFront IPs. This approach would require manual management of IP ranges and is not as scalable or flexible as using the CloudFront managed prefix list. Therefore, the solution with the least amount of effort is B: Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list.