Logo
AWS Certified Solutions Architect - Professional / Question #947 of 529

Question #947

A company is enhancing security for its AWS-hosted web application using Amazon CloudFront with two custom origins. The first origin directs traffic to an Amazon S3 bucket hosting static content, secured with an OpenID Connect (OIDC) identity provider (IdP) for user authentication. The second origin routes to an Application Load Balancer (ALB) forwarding requests to EC2 instances. A security audit reveals that while the S3 content requires authentication, the ALB allows unauthenticated access. The solutions architect must ensure all backend services only respond to authenticated users. Which solution meets this requirement?

A

Configure the ALB to integrate with the OIDC IdP for authentication. Enforce authorization rules to allow only authenticated users to access the EC2 backend services.
B

Implement CloudFront signed cookies for both origins. Apply a strict policy to ensure all requests to the ALB and S3 bucket are authenticated.
C

Deploy AWS WAF rules on the ALB to block unauthenticated requests. Use preconfigured rules to filter traffic based on authentication headers.
D

Enable AWS Config to monitor ALB access patterns. Use Amazon EventBridge to trigger Lambda functions that revoke access for unauthenticated users.

Explanation

Answer A is correct because integrating the ALB with the OIDC IdP enables authentication at the ALB layer, ensuring only authenticated users can access the EC2 backend services. This aligns with the S3 origin's OIDC-based authentication, providing a consistent security posture.

Why other options are incorrect:
- B: CloudFront signed cookies would require client-side changes and conflict with the existing OIDC setup for S3.
- C: AWS WAF cannot reliably validate authentication status without specific headers, which are not mentioned in the scenario.
- D: AWS Config and EventBridge provide reactive monitoring, not proactive authentication enforcement.

Key Points:
1. ALB supports OIDC integration for authentication.
2. Authentication must be enforced at the origin (ALB) to prevent unauthenticated access.
3. Proactive authentication (e.g., OIDC) is preferred over reactive measures (e.g., WAF or AWS Config).

Answer

The correct answer is: A