Which solution should a solutions architect recommend to enhance the origin security?
Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.
Create an AWS WAF web ACL rule with an IP match condition of the CloudFront service IP address ranges. Associate the web ACL with the ALMove the ALB into the three private subnets.
Store a random string in AWS Systems Manager Parameter Store. Configure Parameter Store automatic rotation for the string. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Inspect the value of the custom HTTP header, and block access in the ALB.
Configure AWS Shield Advanced Create a security group policy to allow connections from CloudFront service IP address ranges. Add the policy to AWS Shield Advanced, and attach the policy to the ALB.
Explanations:
This solution enhances origin security by using a random string as a custom HTTP header to ensure that only requests with the correct header reach the origin. The AWS WAF web ACL rule checks for this header and blocks any requests missing it. AWS Secrets Manager provides automated secret rotation for security.
Using an IP match condition with AWS WAF for CloudFront’s IP address ranges could work, but CloudFront IP ranges may change over time, requiring updates. Moving the ALB to private subnets would also block access unless other configurations are added.
This approach is similar to Option A but lacks the AWS WAF integration to verify the custom HTTP header. Inspecting and blocking based solely on the ALB would not provide the same level of security as using AWS WAF.
AWS Shield Advanced provides DDoS protection but does not specifically address origin access control in this context. A security group policy to allow only CloudFront IP ranges is also not as dynamic or reliable as other solutions for verifying origin requests.
If I had to guess, I’d say the answer is:
Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.