Q67 — AWS SAP-C02 Ch.1

Question 67 of 75 | ← Chapter 1

Q142. A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB).The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.The company needs a solution that will prevent internet traffic from directly accessing the ALB. Which solution will meet these requirements with the LEAST operational overhead?

Correct Answer: C. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only

Explanation

The solution that will meet the requirement with the least operational overhead is Option C: Add a security group rule to the ALB that allows traffic only from the AWS managed prefix list for CloudFront. Remove any existing security group rules that allow inbound traffic from the internet or other sources.This solution leverages the built-in functionality of AWS managed prefix lists, which are automatically updated by AWS as necessary. By restricting access to the ALB to only the IP addresses associated with CloudFront, the company can prevent direct internet traffic from accessing the application while still allowing traffic to flow through CloudFront.Option A involves duplicating the existing web ACL, which may require additional management overhead.Option B would not provide any additional security measures beyond those already in place with the existing web ACL.Option D involves managing a potentially large list of IP address ranges associated with CloudFront, which could become cumbersome to maintain over time.Therefore, option C provides a simple and effective solution that will prevent internet traffic from directly accessing the ALB with the least amount of operational overhead.