Question #861
A company deployed a web application using AWS Elastic Beanstalk, which utilizes an internet-facing Application Load Balancer (ALB) fronted by Amazon CloudFront. A security audit revealed that the application is accessible through both the CloudFront distribution and the ALB's DNS endpoint. The company needs to ensure the application is accessible only via the CloudFront endpoint. What solution meets this requirement with the LEAST amount of effort?
Create a security group for CloudFront and update the ALB's security group ingress rules to allow traffic only from the CloudFront security group.
Update the ALB security group ingress rules to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list.
Change the ALB scheme from internet-facing to internal and create a VPC interface endpoint for Elastic Load Balancing.
Extract CloudFront IP ranges from the AWS ip-ranges.json document and update the ALB security group ingress rules to allow only those IPs.
Explanation
Answer B is correct because AWS provides a managed prefix list (com.amazonaws.global.cloudfront.origin-facing) containing all current CloudFront IP ranges. Updating the ALB's security group ingress rules to reference this list ensures only CloudFront can access the ALB, blocking direct access via the ALB's DNS. This approach requires no manual IP management and automatically stays updated.
Other options are incorrect because:
- A: CloudFront does not use security groups, so this is not feasible.
- C: Changing the ALB to internal would prevent CloudFront (external) from accessing it without additional complex networking setups.
- D: Manually extracting CloudFront IPs from ip-ranges.json is error-prone and requires ongoing maintenance.
Key Takeaway: Use AWS-managed prefix lists for services like CloudFront to simplify security group rules and ensure automatic updates.
Answer
The correct answer is: B