Exam SCS-C03 Topic 1 Question 142 Discussion
Actual exam question for Amazon's SCS-C03 exam
Question #: 142
Topic #: 1
Question #: 142
Topic #: 1
A company runs ECS services behind an internet-facing ALB that is the origin for CloudFront. An AWS WAF web ACL is associated with CloudFront, but clients can bypass it by accessing the ALB directly.
Which solution will prevent direct access to the ALB?
Which solution will prevent direct access to the ALB?
Suggested Answer: D Vote an answer
AWS best practices recommend using a shared secret header between CloudFront and ALB origins to prevent direct access. CloudFront injects a custom header, and the ALB listener rules validate its presence.
IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.
Referenced AWS Specialty Documents:
AWS Certified Security - Specialty Official Study Guide
CloudFront Origin Protection
AWS WAF and ALB Integration
IP-based controls are brittle due to CloudFront IP changes. PrivateLink and internal ALBs are not supported as CloudFront origins. Header validation is the most reliable and widely recommended pattern.
Referenced AWS Specialty Documents:
AWS Certified Security - Specialty Official Study Guide
CloudFront Origin Protection
AWS WAF and ALB Integration
by Cedric at Mar 30, 2026, 01:50 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).