ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 926 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 926
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A medical company is running a REST API on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group behind an Application Load
Balancer (ALB). The ALB runs in three public subnets, and the EC2 instances run in three private subnets. The company has deployed an Amazon CloudFront distribution that has the ALB as the only origin.
Which solution should a solutions architect recommend to enhance the origin security?

  • A. Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.
  • B. Create an AWS WAF web ACL rule with an IP match condition of the CloudFront service IP address ranges. Associate the web ACL with the ALB. Move the ALB into the three private subnets.
  • C. Store a random string in AWS Systems Manager Parameter Store. Configure Parameter Store automatic rotation for the string. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Inspect the value of the custom HTTP header, and block access in the ALB.
  • D. Configure AWS Shield Advanced. Create a security group policy to allow connections from CloudFront service IP address ranges. Add the policy to AWS Shield Advanced, and attach the policy to the ALB.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Rocketeer at Sept. 4, 2022, 2:43 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
pixepe
Highly Voted 2 years, 8 months ago
Answer is A. Competition is btn A & C. C is INCORRECT - Since auto rotation is (natively) NOT supported in Parameter store. From AWS, "However, Parameter Store doesn't provide automatic rotation services for stored secrets. Instead, Parameter Store enables you to store your secret in Secrets Manager, and then reference the secret as a Parameter Store parameter."
upvoted 8 times
...
AwsBRFan
Highly Voted 2 years, 8 months ago
Selected Answer: A
I agree A = https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/
upvoted 5 times
...
zozza2023
Most Recent 2 years, 3 months ago
Selected Answer: A
should b A. others are wrong
upvoted 1 times
...
masetromain
2 years, 4 months ago
Selected Answer: A
A. Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB. This solution will enhance the origin security by adding an additional layer of security with a random string that is stored in Secrets Manager and rotates automatically. CloudFront is configured to inject the random string as a custom HTTP header for the origin request. An AWS WAF web ACL rule is created to match this custom header and is associated with the ALB. This way only requests with the correct custom header will be allowed to reach the origin and the requests without the correct header will be blocked by the WAF.
upvoted 1 times
...
AjayPrajapati
2 years, 6 months ago
Selected Answer: A
A is correct B - not correct since it is asking ALB to move to private subnet without any way to communicate from cloud front to ALB Parameter store can not rotate
upvoted 1 times
...
alxjandroleiva
2 years, 6 months ago
Selected Answer: B
Create an AWS Lambda function for automatic secret rotation? This is a joke. B, https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html
upvoted 1 times
Byrney
2 years, 6 months ago
No joke: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html#rotate-secrets_how Using B would allow any Cloudfront distribution to access the API, not just the customers.
upvoted 1 times
...
...
tomosabc1
2 years, 6 months ago
Selected Answer: A
I don't really understand why B is wrong when it can achieve the same effect as option A, that is, preventing ALB from being accessing directly(meaning users have to access ALB via CloudFront.) Why is B wrong? Is it because that the IP address ranges for CloudFront service is dynamic, and that CloudFront prefix list should be used instead?
upvoted 1 times
tomosabc1
2 years, 6 months ago
"The CloudFront managed prefix list contains the IP address ranges of all of CloudFront's globally distributed origin-facing servers. If your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront's origin-facing servers, preventing any non-CloudFront traffic from reaching your origin. CloudFront maintains the managed prefix list so it's always up to date with the IP addresses of all of CloudFront's global origin-facing servers. With the CloudFront managed prefix list, you don't need to read or maintain a list of IP address ranges yourself. " https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html
upvoted 3 times
...
...
JayF88
2 years, 7 months ago
Selected Answer: A
A definitely
upvoted 1 times
...
ArreRaja
2 years, 8 months ago
A. https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago