Which solution will meet this requirement?
Configure the ALB to enforce authentication and authorization by integrating the ALB with the IdP. Allow only authenticated users to access the backend services.
Modify the CloudFront configuration to use signed URLs. Implement a permissive signing policy that allows any request to access the backend services.
Create an AWS WAF web ACL that filters out unauthenticated requests at the ALB level. Allow only authenticated traffic to reach the backend services.
Enable AWS CloudTrail to log all requests that come to the ALB. Create an AWS Lambda function to analyze the logs and block any requests that come from unauthenticated users.
Explanations:
Integrating the ALB with the IdP will enforce authentication at the load balancer level, ensuring that only authenticated users can access the backend services, thus meeting the requirement of securing both custom origins.
Using signed URLs does not address the need for authentication directly on the ALB. It only restricts access based on the signing policy, which could still allow unauthenticated requests to reach the backend.
While an AWS WAF web ACL could filter out requests, it does not inherently provide a method for authentication. It can block certain types of traffic, but without a mechanism to verify user authentication, it won’t ensure that only authenticated users access the backend services.
Enabling CloudTrail for logging does not prevent unauthenticated access in real-time. Blocking requests using a Lambda function based on log analysis would introduce latency and would not actively enforce authentication at the point of entry.
I estimate that the answer is:
Configure the ALB to enforce authentication and authorization by integrating the ALB with the IdP. Allow only authenticated users to access the backend services.