Which solution will meet these requirements with the LEAST operational overhead?
Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
Associate the existing web ACL with the ALB.
Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.
Explanations:
Creating a new web ACL with the same rules as the existing one adds unnecessary complexity and operational overhead, as it requires managing two separate web ACLs. This does not effectively prevent internet traffic from directly accessing the ALB.
Associating the existing web ACL with the ALB is not a feasible solution, as AWS WAF web ACLs can only be associated with CloudFront distributions and not directly with ALBs. This option would not achieve the desired goal of preventing direct access to the ALB.
Adding a security group rule to the ALB that allows traffic only from the AWS managed prefix list for CloudFront restricts access to the ALB to only CloudFront, effectively preventing direct internet access while maintaining low operational overhead. This is a simple and effective solution.
Adding a security group rule to allow only the various CloudFront IP address ranges is a more manual and error-prone approach. CloudFront IP addresses can change, and maintaining an updated list adds operational overhead. Additionally, AWS managed prefix lists offer a more scalable solution.