Exam AWS Certified Security - Specialty topic 1 question 245 discussion

Answer D - this is the only way to ensure that the end user is not getting a HTTP 403 forbidden message when tried using HTTP as it will use HTTP to HTTPS redirect 303, and also ensures OAI through origin custom header, and the origin protocol policy will ensure that the traffic is negotiated to the ALB only via TLS

D is answer https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

Both options B & D are equally secure. Viewer policy either initiated over HTTP or HTTPs, will always reached CloudFront as HTTPS. B. Only accepts HTTPS, and origin protocol matches viewer's (HTTPS). D. Redirecting HTTP to HTTPS, and origin protocol is HTTPS. Equally secure. I can't see why picking one over the other in the question context.

B is the most secure. With D, the subsequent requests are secured but the first HTTP would have given out some data on the line.

While I would personally implement D (and redirect HTTP to HTTPS), they have asked for the *most* secure solution. The answer is therefore B, drop HTTP support completely and only serve HTTPS.

D. Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header. This option is the most secure solution. By setting the viewer protocol policy to redirect HTTP to HTTPS, it ensures that all requests are encrypted. Setting the origin protocol policy to HTTPS only ensures end-to-end encryption between CloudFront and the ALB. Updating the application to validate the CloudFront custom header adds an additional layer of security to ensure that content is accessed only through CloudFront.

B. Add an origin custom header. Set the viewer protocol policy to HTTPS only. Set the origin protocol policy to match viewer. Update the application to validate the CloudFront custom header. This solution ensures the highest level of security

In the question said " build the MOST secure solution?" To improve the security of this solution, you can configure your CloudFront distribution to always use HTTPS when sending requests to your Application Load Balancer. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html#restrict-alb-improve-security

tell the ALB to redirect http requests to https.

Answer C "HTTP Only is the default setting when the origin is an Amazon S3 static website hosting endpoint, because Amazon S3 doesn’t support HTTPS connections for static website hosting endpoints. The CloudFront console does not support changing this setting for Amazon S3 static website hosting endpoints." https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html

D - i believe is correct. We are cutting out HTTP Viewer will be switched to HTTPS. Cloud front will use HTTPS to connect to ALB. ALB will check origin and terminate TLS. Request will be passed to ECS

Answer B. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html#restrict-alb-improve-security To improve the security of this solution, you can configure your CloudFront distribution to always use HTTPS when sending requests to your Application Load Balancer. Remember, this solution only works if you keep the custom header name and value secret. Using HTTPS can help prevent an eavesdropper from discovering the header name and value. We also recommend rotating the header name and value periodically.