How should the security engineer build the MOST secure solution?

A company has a web-based application using Amazon CloudFront and running on Amazon Elastic Container Service (Amazon ECS) behind an Application LoadBalancer (ALB).The ALB is terminating TLS and balancing load across ECS service tasks.A security engineer needs to design a solution to ensure that application content is accessible only through CloudFront and that it is never accessible directly.

How should the security engineer build the MOST secure solution?

Add an origin custom header. Set the viewer protocol policy to HTTP and HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header.

Add an origin custom header. Set the viewer protocol policy to HTTPS only. Set the origin protocol policy to match viewer. Update the application to validate the CloudFront custom header.

Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTP only. Update the application to validate the CloudFront custom header.

Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header.

Explanations:

Allows HTTP access, which is less secure and does not fully enforce HTTPS for viewers.

Uses “match viewer” for origin protocol, which could allow direct access to the ALB if a viewer attempts HTTP, bypassing CloudFront HTTPS-only enforcement.

Sets origin protocol to HTTP only, which reduces security by not using HTTPS to communicate between CloudFront and ALB.

Ensures viewer access is HTTPS-only by redirecting HTTP to HTTPS, and sets origin protocol to HTTPS only, enforcing secure, end-to-end encryption and ensuring content is accessed only through CloudFront.

Learn & move to cloud

How should the security engineer build the MOST secure solution?

Explanations:

Leave a Reply Cancel reply