How can a security engineer meet this requirement in the LEAST amount of time?
Migrate the objects to Amazon S3. Create a new AWS Global Accelerator accelerator that has a listener on port 443 and an endpoint group that points to the origin distribution.
Create a new Amazon CloudFront distribution. Create a new CloudFront custom header for X-Amz-Authorization. Attach the header to the distribution.
Create a new Amazon CloudFront distribution. Create a new CloudFront cache policy with a header whitelist for the Authorization header. Attach the policy to the distribution.
Migrate the objects to Amazon S3. Create a new Amazon CloudFront distribution. Create a new CloudFront cache policy with a header whitelist for the Authorization header. Attach the policy to the distribution.
Explanations:
Migrating the objects to Amazon S3 is not required for passing the Authorization header. AWS Global Accelerator is primarily for improving availability and performance, not for handling custom headers.
CloudFront cannot pass custom headers (like X-Amz-Authorization) unless the Authorization header is specifically included in the cache policy. The custom header alone will not fulfill the requirement.
Creating a CloudFront distribution with a cache policy that includes a header whitelist for the Authorization header is the correct approach. This allows the Authorization header to be forwarded to the origin without requiring object migration to S3.
While the cache policy whitelist is correct, migrating the objects to Amazon S3 is unnecessary and adds complexity. The Authorization header can be passed without needing to move the data to S3.
I value that the answer is:
Create a new Amazon CloudFront distribution. Create a new CloudFront cache policy with a header whitelist for the Authorization header. Attach the policy to the distribution.