Question #691
A company hosts a web application using Amazon EC2 instances in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB serves as the origin for an Amazon CloudFront distribution, which is protected by an AWS WAF web ACL with several AWS managed rules. The company wants to ensure that all incoming traffic must go through CloudFront and prevent direct access to the ALB from the internet. Which solution meets these requirements with the LEAST operational overhead?
Create a new AWS WAF web ACL identical to the existing one and associate it with the ALB.
Associate the existing AWS WAF web ACL with both the CloudFront distribution and the ALB.
Modify the ALB's security group to allow inbound traffic only from the AWS managed prefix list for CloudFront.
Update the ALB's security group to permit inbound traffic solely from the published CloudFront IP ranges.
Explanation
Option C is correct because AWS provides a managed prefix list (com.amazonaws.global.cloudfront.origin-facing) that automatically updates with CloudFront's IP ranges. By restricting the ALB's security group to this list, only traffic from CloudFront is allowed, preventing direct internet access.
Other options are incorrect because:
- A/B: Adding WAF to the ALB filters traffic but does not block direct access to the ALB.
- D: Manually updating the ALB's security group with CloudFront IP ranges requires ongoing maintenance, unlike the managed prefix list in C.
Key Points:
1. Use security groups to restrict ALB access to CloudFront.
2. AWS managed prefix lists simplify IP management for services like CloudFront.
3. Blocking direct ALB access ensures all traffic is inspected by CloudFront and WAF.
Answer
The correct answer is: C