Exam ANS-C00 topic 1 question 55 discussion

Its B , Origin Access identity is only valid for s3 origin not ec2 or ALB

DDDDDDDDDDD

Answer B https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/

Answer B https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager

I am voting for B, How to enhance Amazon CloudFront origin security with AWS WAF and AWS Secrets Manager, https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/

Option-B is correct. Because of below: "There is concern that an external agency might be able to access the IP addresses for the application's origin " - This reveals that Origin is EC2 instance (which has IP Address). Not S3. So ALB with WAF will protect Origin and using CF with Custom header will allow CF to safely interact with ALB.

Among these answers B is only valid choice. Regarding security, more stronger protection is scheduling a Lambda function to update Security Group of the origin. The Lambda function can get Edge Location IPs and update the SG. (Of-course with limited edge locations only)

B is the answer. Since OIA is only for S3

Answer is B, OAI is for S3 endpoint.. Guys just stop guessing answers and if you comment with your answers provide proof for the answer

D??? Seriously people. Do you even know what is an OAI?

I believe the correct response is D. I'm intrigued with the some of these responses though, why would you use an ALB with CloudFront??

Answer is B. D. Is valid to S3 The questions say "ip address"

I dont see what eliminate C option? IMO both B and C are valid options. Acc to official study guide B custom header usage in past is more of 'static nature' whereas lambda@edge offers programatic way to populate values in custom header dynamically 'making it even more difficult to subvert your origin access enforcement mechanisms' The question requires 'strongest level of protection' Correct answer: C

After reading the question again, i think B is the correct answer. Keyword is "IP addresses for the applications origin"

I think the answer is D

question said "IP addresses for the applications origin" so we can assume it's not talking about s3 and then D can't be an option since OAI concerns only S3 as origin Valid option is B

https://aws.amazon.com/vi/about-aws/whats-new/2016/01/amazon-cloudfront-adds-new-origin-security-features/ Add or modify request headers forwarded from CloudFront to your origin (launched Dec 28th): Now you can configure CloudFront to add custom headers or override the value of existing request headers when CloudFront forwards requests to your origin. You can use these headers to help validate that requests made to your origin were sent from CloudFront (shared secret) and configure your origin to only allow requests that contain the custom header values that you specify. This feature also helps with setting up Cross-Origin Request Sharing (CORS) for your CloudFront distribution - you can configure CloudFront to always add custom headers to your origin to accommodate viewers that don't automatically include those headers in requests. It also allows you to disable varying on the Origin header, which improves your cache hit ratio, yet forward the appropriate headers so that your origin can respond with the CORS header. For more information, see Forwarding Custom Headers to Your Origin in the Amazon CloudFront Developer Guide. Correct Answer is B !