Q435. A company has deployed its corporate website in a VPC on two Amazon EC2 instances behind an Application Load Balancer (ALB).The EC2 instances are deployed in private subnets. The ALB is in a public subnet. A route to an internet gateway exists in the public subnet route table. The company has deployed an Amazon CloudFront distribution with the ALB as the origin. The company's security team recently identified that malicious traffic is accessing the ALB directly.The company must deploy security controls to prevent common attack techniques including cross-site scripting and to protect against volumetric denials of service. Which strategy should a solutions architect recommend to meet these requirements?
A.Migrate the ALB to a private subnet. Associate an AWS WAF web ACL with the ALB.Update inbound rules on the ALB security group to allow traffic on port 443 only from CloudFront IP addresses. B.Associate an AWS WAF web ACL with the CloudFront distribution.Configure an origin access identity (OAI) on the ALB to drop access attempts that do not originate from CloudFront. C.Associate an AWS WAF web ACL with the CloudFront distribution.Configure CloudFront to add a custom header to the requests that are sent to the ALB.Configure advanced routing on the ALB to only forward requests that include the custom header that is set by CloudFront. D.Associate an AWS WAF web ACL with the CloudFront distribution.Configure AWS WAF to add a custom heade to the requests that are sent to the ALB.Configure advanced routing on the ALB to only forward requests that include the custom header that is set by CloudFront.正确答案C
