Which combination of steps should the company take to ensure that the EC2 instances will receive traffic only from CloudFront?
(Choose two.)
Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.
Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.
Configure the ALB to forward only requests that contain the custom HTTP header.
Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.
Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).
Explanations:
Configuring a cache key policy to allow a custom HTTP header does not prevent direct traffic to the ALB; it only affects how CloudFront caches responses.
Adding a custom HTTP header to requests from CloudFront allows the ALB to identify and differentiate legitimate traffic coming from CloudFront versus direct traffic.
Configuring the ALB to only forward requests containing the custom HTTP header ensures that only traffic from CloudFront (which includes the custom header) reaches the EC2 instances, blocking direct access.
Using the X-Forwarded-For header primarily tracks the originating IP address of clients and does not inherently restrict access to the ALB, thus not ensuring that only CloudFront traffic is handled.
Using the same X.509 certificate does not relate to controlling traffic access; it is primarily for secure communication (SSL/TLS) between CloudFront and the ALB, not for traffic source verification.
I evaluate that the answer is:
Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.
I reckon the answer is:
Configure CloudFront to add a custom: HTTP header to requests that CloudFront sends to the ALB.