What should a solutions architect do to meet these requirements?
Associate an AWS WAF web ACL with the ALB. Use IP rule sets on the ALB to filter traffic. Update the IP addresses in the rule to include the registered IP addresses.
Deploy AWS Firewall Manager to manage the ALB. Configure firewall rules to restrict traffic to the ALB. Modify the firewall rules to include the registered IP addresses.
Store the IP addresses in an Amazon DynamoDB table. Configure an AWS Lambda authorization function on the ALB to validate that incoming requests are from the registered IP addresses.
Configure the network ACL on the subnet that contains the public interface of the ALB. Update the ingress rules on the network ACL with entries for each of the registered IP addresses.
Explanations:
Associating an AWS WAF web ACL with the ALB allows you to filter traffic based on IP addresses using IP rule sets. This is a scalable and efficient solution for restricting access to only the registered IP addresses of the retail locations.
AWS Firewall Manager is useful for centralized security management, but it is not directly designed to restrict traffic to an ALB based on IP addresses. It focuses on managing rules across accounts and resources. This option is not the best fit for the described requirement.
Using AWS Lambda for authorization would add unnecessary complexity and latency. ALBs do not support Lambda authorizers directly; this would typically apply to API Gateway. Additionally, managing the IP addresses in DynamoDB would introduce unnecessary overhead for simple IP-based access control.
Network ACLs are not suitable for fine-grained control like filtering traffic based on IP addresses for application-level security. They are generally used for broader network-level controls and are not as flexible as WAF for web application traffic filtering.