Amazon Exam SAP-C02 Topic 9 Question 46 Discussion

Actual exam question for Amazon's SAP-C02 exam

Question #: 46
Topic #: 9

A company needs to improve the security of its web-based application on AWS. The application uses Amazon CloudFront with two custom origins. The first custom origin routes requests to an Amazon API Gateway HTTP API. The second custom origin routes traffic to an Application Load Balancer (ALB) The application integrates with an OpenlD Connect (OIDC) identity provider (IdP) for user management.

A security audit shows that a JSON Web Token (JWT) authorizer provides access to the API The security audit also shows that the ALB accepts requests from unauthenticated users

A solutions architect must design a solution to ensure that all backend services respond to only authenticated users

Which solution will meet this requirement?

AConfigure the ALB to enforce authentication and authorization by integrating the ALB with the IdP Allow only authenticated users to access the backend services

BModify the CloudFront configuration to use signed URLs Implement a permissive signing policy that allows any request to access the backend services

CCreate an AWS WAF web ACL that filters out unauthenticated requests at the ALB level. Allow only authenticated traffic to reach the backend services.

DEnable AWS CloudTrail to log all requests that come to the ALB Create an AWS Lambda function to analyze the togs and block any requests that come from unauthenticated users.

Show Suggested Answer

Suggested Answer: A

Integrate ALB with OIDC IdP:

In the AWS Management Console, navigate to the Application Load Balancer (ALB) settings.

Configure the ALB to use the OpenID Connect (OIDC) IdP for authentication. This ensures that all requests routed through the ALB are authenticated using the IdP.

Set Up Authentication Rules:

Create a listener rule on the ALB that requires authentication. This rule will forward requests to the IdP for user authentication before allowing access to the backend services.

Restrict Unauthenticated Access:

Ensure the ALB only forwards requests to backend services if the user is authenticated. Unauthenticated requests should be blocked or redirected to the IdP for authentication.

Update CloudFront Configuration:

Modify the CloudFront distribution to forward authenticated requests to the ALB. Ensure that the ALB and API Gateway accept only requests coming through the CloudFront distribution to enforce consistent authentication and security.

By enforcing authentication at the ALB level, you ensure that all backend services are accessed only by authenticated users, enhancing the overall security of the web application

by Reynalda at Nov 19, 2024, 02:35 AM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Chantay

24 hours ago

Option C looks promising. Using AWS WAF to filter out unauthenticated requests at the ALB level is a smart move.

upvoted 0 times

...

Armando

6 days ago

I'm not sure about option C. Creating a web ACL to filter out unauthenticated requests seems like a good idea too.

upvoted 0 times

...

Dong

7 days ago

I agree with Arthur. Option A ensures that only authenticated users can access the backend services.

upvoted 0 times

...

Victor

10 days ago

I'm not sure about Option B. Allowing any request to access the backend services doesn't seem very secure, even with signed URLs.

upvoted 0 times

Nguyet

5 days ago

A: Option A seems like the best choice. Integrating the ALB with the IdP will ensure only authenticated users can access the backend services.

upvoted 0 times

...

Arthur

14 days ago

I think option A is the best solution. It integrates the ALB with the IdP to enforce authentication.

upvoted 0 times

...

Brandon

21 days ago

Option A seems like the way to go. Integrating the ALB with the IdP to enforce authentication is the most straightforward solution.

upvoted 0 times

...