DVA-C02 · Question #791
A developer is building a web application that is accessible through an Amazon CloudFront distribution. The application invokes an AWS Lambda function through a function URL. The developer wants to en
The correct answer is C. Create a CloudFront origin access control (OAC). Update the CloudFront distribution to use the. To force all access through CloudFront when the function URL requires IAM authentication, CloudFront must be able to sign requests to the origin and the origin must only trust CloudFront. Using CloudFront Origin Access Control (OAC) enables CloudFront to securely authenticate to
Question
A developer is building a web application that is accessible through an Amazon CloudFront distribution. The application invokes an AWS Lambda function through a function URL. The developer wants to ensure that all traffic to the Lambda function passes through the CloudFront distribution first. The developer configures the function URL AuthType parameter to enforce IAM authentication. Which solution will meet these requirements?
Options
- AUpdate the resource-based IAM policy for the Lambda function to allow access to the function
- BConfigure the CloudFront distribution to add a custom header that contains a shared secret for
- CCreate a CloudFront origin access control (OAC). Update the CloudFront distribution to use the
- DSet up a cross-origin resource sharing (CORS) configuration for the Lambda function URL. Add
How the community answered
(36 responses)- A6% (2)
- B6% (2)
- C69% (25)
- D19% (7)
Explanation
To force all access through CloudFront when the function URL requires IAM authentication, CloudFront must be able to sign requests to the origin and the origin must only trust CloudFront. Using CloudFront Origin Access Control (OAC) enables CloudFront to securely authenticate to the origin with SigV4, and configuring the Lambda function permissions to allow the CloudFront OAC restricts direct access to the function URL so requests must come through the CloudFront
Community Discussion
No community discussion yet for this question.