Which solution will meet this requirement with the LEAST amount of effort?
Create a new security group and attach it to the CloudFront distribution. Update the ALB security group ingress to allow access only from the CloudFront security group.
Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list.
Create a com.amazonaws.region.elasticloadbalancing VPC interface endpoint for Elastic Load Balancing. Update the ALB scheme from internet-facing to internal.
Extract CloudFront IPs from the AWS provided ip-ranges.json document. Update ALB security group ingress to allow access only from CloudFront IPs.
Explanations:
Security groups cannot be directly attached to a CloudFront distribution, as CloudFront does not use security groups. This option does not address the requirement correctly.
Updating the ALB security group to allow ingress only from the CloudFront managed prefix list ensures only CloudFront can access the ALB, effectively blocking direct access.
Changing the ALB scheme to internal would block public access entirely, including access from CloudFront. This does not meet the requirement to access via CloudFront.
Extracting CloudFront IPs from ip-ranges.json and updating the ALB security group is complex, error-prone, and would require continuous updates, making it inefficient.