Examtopics

コメント(17)

• Answer D. Use an OAI to lockdown CloudFront to S3 origin & enable WAF on CF distribution

  👍 16

  Nigma2022/11/15

• For people who chose B as the right Answer, look at this link : https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html

  "When you create a web ACL, you can specify one or more CloudFront distributions that you want AWS WAF to inspect. AWS WAF starts to inspect and manage web requests for those distributions based on the criteria that you identify in the web ACL"

  You don't configure Cloudfront to redirect traffic to WAF. You just create an ACL and points to the Cloudfront distribution.

  So D is the best solution to secure and integrate Cloudfront with S3 and WAF.

  From one side it protects your S3 Content by allowing user requests to access only the OAI. And from other side it enable WAF to control traffic before reaching Cloudfront by creating a WAF Rule or ACL (Not redirecting Cloudfront traffic to WAF which as a solution architect you cannot do)

  👍 4

  CaoMengde092023/02/06
• 正解だと思う選択肢: B

  This can be done by selecting "Yes" for "Viewer Protocol Policy" when creating or updating the CloudFront distribution and selecting "AWS WAF" for "Origin Protocol Policy." This will ensure that all traffic to the website is inspected by AWS WAF before being served by CloudFront.

  Option D is incorrect because configuring Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket and enabling AWS WAF on the distribution will not allow AWS WAF to inspect website traffic BEFORE it is served by CloudFront and S3.

  👍 3

  Training4aBetterLife2023/01/24