Which solution will meet these requirements with the LEAST operational overhead?
Use the SimpleCORS managed response headers policy.
Use a Lambda@Edge function to add the Strict-Transport-Security response header.
Use the SecurityHeadersPolicy managed response headers policy.
Include the X-XSS-Protection header in a custom response headers policy.
Explanations:
The SimpleCORS managed response headers policy is for handling cross-origin resource sharing (CORS) and does not address security headers to mitigate man-in-the-middle attacks.
Using Lambda@Edge to add the Strict-Transport-Security (HSTS) header would work, but it adds operational overhead due to maintaining Lambda functions, which is not the least overhead.
The SecurityHeadersPolicy managed response headers policy includes the necessary security headers like HSTS with minimal operational overhead, providing effective protection.
The X-XSS-Protection header helps with cross-site scripting protection but does not address man-in-the-middle attack protection and would not be sufficient alone for this purpose.
I suspect that the answer is:
Use the SecurityHeadersPolicy managed response headers policy.