SCS-C03 Question #129: Real Exam Question with Answer & Explanation

Question

A company is running a containerized application on an Amazon Elastic Container Service (Amazon ECS) cluster that uses AWS Fargate. The application runs as several ECS services. The ECS services are in individual target groups for an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL is associated with the CloudFront distribution. Web clients access the ECS services through the CloudFront distribution. The company learns that the web clients can bypass the web ACL and can access the ALB directly. Which solution will prevent the web clients from directly accessing the ALB?

Options

• ACreate an AWS PrivateLink endpoint and set it as the CloudFront origin.
• BCreate a new internal ALB and delete the internet-facing ALB.
• CModify the ALB listener rules to allow only CloudFront IP ranges.
• DAdd a custom X-Shared-Secret header in CloudFront and configure the ALB listener rules to

Explanation

When an internet-facing ALB is used as a CloudFront origin, it remains directly accessible unless additional access controls are enforced. According to AWS Certified Security - Specialty guidance, CloudFront IP allow lists alone are insufficient, because CloudFront IP ranges change and are not guaranteed to be exclusive. The recommended and most secure approach is to configure CloudFront to send a custom origin header (such as X-Shared-Secret) with a secret value on every request to the origin. The ALB listener rules are then configured to forward traffic only when the header exists and matches the expected value. Requests that attempt to bypass CloudFront will not include this header and will

No community discussion yet for this question.