nerdexam
Amazon

DVA-C02 · Question #791

A developer is building a web application that is accessible through an Amazon CloudFront distribution. The application invokes an AWS Lambda function through a function URL. The developer wants to en

The correct answer is C. Create a CloudFront origin access control (OAC). Update the CloudFront distribution to use the. To force all access through CloudFront when the function URL requires IAM authentication, CloudFront must be able to sign requests to the origin and the origin must only trust CloudFront. Using CloudFront Origin Access Control (OAC) enables CloudFront to securely authenticate to

Submitted by asante_acc· Mar 5, 2026Security

Question

A developer is building a web application that is accessible through an Amazon CloudFront distribution. The application invokes an AWS Lambda function through a function URL. The developer wants to ensure that all traffic to the Lambda function passes through the CloudFront distribution first. The developer configures the function URL AuthType parameter to enforce IAM authentication. Which solution will meet these requirements?

Options

  • AUpdate the resource-based IAM policy for the Lambda function to allow access to the function
  • BConfigure the CloudFront distribution to add a custom header that contains a shared secret for
  • CCreate a CloudFront origin access control (OAC). Update the CloudFront distribution to use the
  • DSet up a cross-origin resource sharing (CORS) configuration for the Lambda function URL. Add

How the community answered

(36 responses)
  • A
    6% (2)
  • B
    6% (2)
  • C
    69% (25)
  • D
    19% (7)

Explanation

To force all access through CloudFront when the function URL requires IAM authentication, CloudFront must be able to sign requests to the origin and the origin must only trust CloudFront. Using CloudFront Origin Access Control (OAC) enables CloudFront to securely authenticate to the origin with SigV4, and configuring the Lambda function permissions to allow the CloudFront OAC restricts direct access to the function URL so requests must come through the CloudFront

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice