Exam AWS Certified Security - Specialty topic 1 question 223 discussion

D for me "Whitelist Amazon CloudFront IPs on your custom origin’s firewall. A custom origin is an HTTP(S) endpoint, for example, an HTTP server on an Amazon EC2 instance or an HTTP server that you manage p" : https://aws.amazon.com/blogs/networking-and-content-delivery/serving-private-content-using-amazon-cloudfront-aws-lambdaedge/

D. There is NO interface endpoint for CloudFront. This makes D the only valid answer, even if it is not the most efficient solution.

D is the correct answer CF <OAI/OAC>>>S3 CF <prefix list>>><SG of ALB>

Creating an origin access identity (OAI) in CloudFront allows you to restrict access to the S3 bucket contents only through CloudFront. Modifying the S3 bucket policy to allow only the new OAI to access the bucket ensures that direct access to the S3 bucket is blocked. Associating the ALB with a security group that allows incoming traffic only from the CloudFront service ensures that all external access to the website goes through CloudFront and provides an additional layer of security.

Create an origin access identity (OAI) in CloudFront: An OAI is a special CloudFront user that can be used to control access to the content in an S3 bucket. By creating an OAI, you can ensure that only CloudFront has permission to access the election result .pdf files stored in the S3 bucket. Modify the S3 bucket policy: Update the S3 bucket policy to allow access only to the OAI created in the previous step. This ensures that the .pdf files in the S3 bucket can only be accessed by CloudFront. Associate the ALB with a security group: Configure a security group for the ALB that allows incoming traffic only from the CloudFront service. This restricts direct access to the ALB and ensures that all external traffic is routed through CloudFront.

https://docs.aws.amazon.com/es_es/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

AWS privatelink endpoints serve 135 AWS services, CloudFront is not one of them yet. D is correct https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

The correct answer is C. This solution meets the requirements of ensuring that all external access to the website goes through CloudFront. By creating an origin access identity (OAI) in CloudFront, you can ensure that only CloudFront is able to access the contents of the S3 bucket. Modifying the S3 bucket policy to allow only the new OAI to access the bucket contents will further restrict access to the contents of the bucket. Creating an interface VPC endpoint for CloudFront to securely communicate with the ALB will allow CloudFront to access the EC2 instances and the ALB within the VPC. Option D only mentions creating an origin access identity but it does not specify how the traffic will be secured and restricted to CloudFront Only.

Source: https://aws.amazon.com/blogs/networking-and-content-delivery/limit-access-to-your-origins-using-the-aws-managed-prefix-list-for-amazon-cloudfront/

There's AWS managed prefix list for CloudFront that can be used in security group. This helps a lot, so you don't need to know exact CIDRs or IPs.

D because: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html Note: New OAC feature added Aug 2022 will change this question soon, i think.

Option D.

D is the good answer

D is the good answer

D If your origin is an Elastic Load Balancing load balancer or an Amazon EC2 instance, you can use VPC security groups to allow only CloudFront to access your applications. You can accomplish this by creating a security group that only allows the specific IP ranges of CloudFront. https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/

D for sure.

D right, we are tested, we take the exam (hahaha), just try to see how your alb communicate with cloudfront ???