How should the security engineer build the MOST secure solution?
Add an origin custom header. Set the viewer protocol policy to HTTP and HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header.
Add an origin custom header. Set the viewer protocol policy to HTTPS only. Set the origin protocol policy to match viewer. Update the application to validate the CloudFront custom header.
Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTP only. Update the application to validate the CloudFront custom header.
Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header.
Explanations:
Allows HTTP access, which is less secure and does not fully enforce HTTPS for viewers.
Uses “match viewer” for origin protocol, which could allow direct access to the ALB if a viewer attempts HTTP, bypassing CloudFront HTTPS-only enforcement.
Sets origin protocol to HTTP only, which reduces security by not using HTTPS to communicate between CloudFront and ALB.
Ensures viewer access is HTTPS-only by redirecting HTTP to HTTPS, and sets origin protocol to HTTPS only, enforcing secure, end-to-end encryption and ensuring content is accessed only through CloudFront.
I suspect that the answer is:
Add an origin custom header. Set the viewer protocol policy to redirect HTTP to HTTPS. Set the origin protocol policy to HTTPS only. Update the application to validate the CloudFront custom header.