ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 201 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 201
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A company’s web application is available through an Amazon CloudFront distribution and directly through an internet-facing Application Load Balancer (ALB). A SysOps administrator must make the application accessible only through the CloudFront distribution and not directly through the ALB. The SysOps administrator must make this change without changing the application code.

Which solution will meet these requirements?

  • A. Modify the ALB type to internal. Set the distribution’s origin to the internal ALB domain name.
  • B. Create a Lambda@Edge function. Configure the function to compare a custom header value in the request with a stored password and to forward the request to the origin in case of a match. Associate the function with the distribution.
  • C. Replace the ALB with a new internal ALB. Set the distribution’s origin to the internal ALB domain name. Add a custom HTTP header to the origin settings for the distribution. In the ALB listener, add a rule to forward requests that contain the matching custom header and the header’s value. Add a default rule to return a fixed response code of 403.
  • D. Add a custom HTTP header to the origin settings for the distribution. In the ALB listener, add a rule to forward requests that contain the matching custom header and the header’s value. Add a default rule to return a fixed response code of 403.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by vijaya at Dec. 15, 2022, 11:58 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Arnaud92
Highly Voted 2 years, 1 month ago
Selected Answer: D
D https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
upvoted 5 times
...
kaka321
Most Recent 1 month, 1 week ago
Selected Answer: D
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
upvoted 1 times
...
johnson_chao
10 months, 3 weeks ago
Selected Answer: D
answer is D Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer. ref : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
upvoted 2 times
...
r2c3po
1 year, 1 month ago
Selected Answer: C
Option C provides a solution to make the application accessible only through the CloudFront distribution and not directly through the ALB.
upvoted 1 times
...
TwinSpark
1 year, 4 months ago
Selected Answer: D
ALB cannot be internal. https://repost.aws/questions/QUdr1a-rXWQFiGqKVjNPhOpg/cloudfront-internal-elb-origin so it's D https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
upvoted 2 times
konieczny69
1 year, 2 months ago
Nonsence - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-application-load-balancer.html
upvoted 1 times
...
...
Madiba237
1 year, 5 months ago
The answer is C instead of D , D do not block access directly from the ALB
upvoted 2 times
konieczny69
1 year, 2 months ago
of course its C
upvoted 1 times
...
...
jipark
1 year, 6 months ago
Selected Answer: D
it's similar what we do for SSL redirecting. when came in directly, redirect L4 or DNS.
upvoted 1 times
...
Christina666
1 year, 6 months ago
Selected Answer: D
All requests go through CLoudfront, sample cloudformation template as below: DistributionConfig: Origins: - DomainName: app-load-balancer.example.com Id: Example-ALB CustomOriginConfig: OriginProtocolPolicy: https-only OriginSSLProtocols: - TLSv1.2 OriginCustomHeaders: - HeaderName: X-Custom-Header HeaderValue: random-value-1234567890
upvoted 2 times
...
Christina666
1 year, 6 months ago
Selected Answer: D
You can configure CloudFront to add a custom HTTP header to the requests that it sends to your origin (in this case, an Application Load Balancer). Important This use case relies on keeping the custom header name and value secret. If the header name and value are not secret, other HTTP clients could potentially include them in requests that they send directly to the Application Load Balancer. This can cause the Application Load Balancer to behave as though the requests came from CloudFront when they did not. To prevent this, keep the custom header name and value secret.
upvoted 2 times
Christina666
1 year, 6 months ago
CloudFront can also help to reduce latency and even absorb some distributed denial of service (DDoS) attacks. However, if users can bypass CloudFront and access your Application Load Balancer directly, you don’t get these benefits. But you can configure Amazon CloudFront and your Application Load Balancer to prevent users from directly accessing the Application Load Balancer. This allows users to access the Application Load Balancer only through CloudFront, ensuring that you get the benefits of using CloudFront. To prevent users from directly accessing an Application Load Balancer and allow access only through CloudFront, complete these high-level steps: Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer. Configure the Application Load Balancer to only forward requests that contain the custom HTTP header. (Optional) Require HTTPS to improve the security of this solution.
upvoted 2 times
...
...
noahsark
1 year, 10 months ago
Selected Answer: D
Add a custom HTTP header to the origin settings for the distribution. In the ALB listener, add a rule to forward requests that contain the matching custom header and the header’s value. Add a default rule to return a fixed response code of 403. Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer. Configure the Application Load Balancer to only forward requests that contain the custom HTTP header. (Optional) Require HTTPS to improve the security of this solution. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
upvoted 3 times
...
MrMLB
2 years, 2 months ago
Selected Answer: D
D To make the application accessible only through the CloudFront distribution and not directly through the Application Load Balancer (ALB), you can add a custom HTTP header to the origin settings for the CloudFront distribution. You can then create a rule in the ALB listener to forward requests that contain the matching custom header and its value to the origin. You can also add a default rule to the ALB listener to return a fixed response code of 403 for requests that do not contain the matching custom header. This will allow you to redirect all requests to the CloudFront distribution and block direct access to the application through the ALB.
upvoted 4 times
...
vijaya
2 years, 2 months ago
A, but may need to remove public IP of ALB from DNS.
upvoted 2 times
joanneli77
2 years ago
CloudFront requires the origin to be public, therefore ALB must have public IP. That's the root of the problem in this question.
upvoted 2 times
...
beznika
2 years, 2 months ago
A seems correct.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel