Which solution should a solutions architect recommend to enhance the origin security?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A medical company is running a REST API on a set of Amazon EC2 instances.The EC2 instances run in an Auto Scaling group behind an Application LoadBalancer (ALB).The ALB runs in three public subnets, and the EC2 instances run in three private subnets.The company has deployed an Amazon CloudFront distribution that has the ALB as the only origin.

Which solution should a solutions architect recommend to enhance the origin security?

Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.

Create an AWS WAF web ACL rule with an IP match condition of the CloudFront service IP address ranges. Associate the web ACL with the ALB. Move the ALB into the three private subnets.

Store a random string in AWS Systems Manager Parameter Store. Configure Parameter Store automatic rotation for the string. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Inspect the value of the custom HTTP header, and block access in the ALB.

Configure AWS Shield Advanced. Create a security group policy to allow connections from CloudFront service IP address ranges. Add the policy to AWS Shield Advanced, and attach the policy to the ALB.

Explanations:

This option uses a custom HTTP header with a secret string stored in AWS Secrets Manager to ensure that only requests from CloudFront are accepted by the ALB. The AWS WAF rule can match this header, effectively filtering non-CloudFront requests and enhancing origin security.

Moving the ALB to private subnets would make it inaccessible to CloudFront, which requires access to the ALB in a public subnet. The IP match condition is also unreliable because CloudFront’s IP ranges change frequently.

Although this option adds a custom header, it lacks a secure way to enforce access at the ALB level, as ALB itself cannot directly inspect custom headers. AWS WAF or other solutions would be required to properly filter requests based on the header.

AWS Shield Advanced focuses on DDoS protection but does not directly control access between CloudFront and the ALB. Security groups are not associated with ALBs, and this option does not correctly enforce origin security.

2026-03-20

2 Comments

  1. Arthur
    Author

    I structure that the answer is:
    Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.

  2. Andrea
    Author

    In my opinion, the answer is:
    Store a random string in AWS Secrets Manager. Create an AWS Lambda function for automatic secret rotation. Configure CloudFront to inject the random string as a custom HTTP header for the origin request. Create an AWS WAF web ACL rule with a string match rule for the custom header. Associate the web ACL with the ALB.

Leave a Reply to Andrea Cancel reply

Your email address will not be published. Required fields are marked *

15 − 11 =