New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SAP-C02 Exam - Topic 9 Question 46 Discussion

Actual exam question for Amazon's SAP-C02 exam
Question #: 46
Topic #: 9
[All SAP-C02 Questions]

A company needs to improve the security of its web-based application on AWS. The application uses Amazon CloudFront with two custom origins. The first custom origin routes requests to an Amazon API Gateway HTTP API. The second custom origin routes traffic to an Application Load Balancer (ALB) The application integrates with an OpenlD Connect (OIDC) identity provider (IdP) for user management.

A security audit shows that a JSON Web Token (JWT) authorizer provides access to the API The security audit also shows that the ALB accepts requests from unauthenticated users

A solutions architect must design a solution to ensure that all backend services respond to only authenticated users

Which solution will meet this requirement?

Show Suggested Answer Hide Answer
Suggested Answer: A

Integrate ALB with OIDC IdP:

In the AWS Management Console, navigate to the Application Load Balancer (ALB) settings.

Configure the ALB to use the OpenID Connect (OIDC) IdP for authentication. This ensures that all requests routed through the ALB are authenticated using the IdP.

Set Up Authentication Rules:

Create a listener rule on the ALB that requires authentication. This rule will forward requests to the IdP for user authentication before allowing access to the backend services.

Restrict Unauthenticated Access:

Ensure the ALB only forwards requests to backend services if the user is authenticated. Unauthenticated requests should be blocked or redirected to the IdP for authentication.

Update CloudFront Configuration:

Modify the CloudFront distribution to forward authenticated requests to the ALB. Ensure that the ALB and API Gateway accept only requests coming through the CloudFront distribution to enforce consistent authentication and security.

By enforcing authentication at the ALB level, you ensure that all backend services are accessed only by authenticated users, enhancing the overall security of the web application


by Reynalda at Nov 19, 2024, 02:35 AM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Giuseppe
3 months ago
Isn't D a bit too reactive? Shouldn't we prevent unauthenticated access upfront?
upvoted 0 times
...
Marg
3 months ago
A is definitely the way to go, ALB needs that integration.
upvoted 0 times
...
Silvana
3 months ago
Wait, why would you use signed URLs in B? That sounds risky!
upvoted 0 times
...
Glenna
4 months ago
I disagree, I think C could work just as well with WAF filtering.
upvoted 0 times
...
Alyce
4 months ago
Option A seems like the best choice for enforcing authentication.
upvoted 0 times
...
Noble
4 months ago
I remember we talked about using CloudTrail for logging, but I’m not sure if just analyzing logs and blocking requests is proactive enough. It feels like a reactive solution rather than a preventive one.
upvoted 0 times
...
Kindra
4 months ago
I feel like modifying CloudFront with signed URLs could work, but it seems risky to allow any request to access the backend. I’m leaning towards option A for better security.
upvoted 0 times
...
Serina
4 months ago
I think we practiced a similar question where we had to secure an API. If I recall correctly, using AWS WAF could be a good option, but I’m not confident if it’s the best choice here.
upvoted 0 times
...
Lai
5 months ago
I remember we discussed integrating the ALB with the IdP for authentication. Option A seems like the right approach, but I'm not entirely sure if it covers all scenarios.
upvoted 0 times
...
Tayna
5 months ago
I'm leaning towards option D. Logging all requests with CloudTrail and then using a Lambda function to analyze and block unauthenticated users seems like a comprehensive solution.
upvoted 0 times
...
Melissa
5 months ago
The key here is ensuring that all backend services respond to only authenticated users. Option C looks promising - using AWS WAF to filter out unauthenticated requests at the ALB level.
upvoted 0 times
...
Willis
5 months ago
Hmm, I'm a bit confused. The question mentions that the API Gateway already uses a JWT authorizer, so wouldn't that already handle authentication? I'm not sure if we need to do anything with the ALB.
upvoted 0 times
...
Lenna
5 months ago
This seems like a straightforward security problem. I think option A is the best solution - configuring the ALB to enforce authentication and authorization with the IdP.
upvoted 0 times
...
Levi
1 year ago
Option C is the way to go. AWS WAF is like a bouncer for your backend services - only let the cool kids in.
upvoted 0 times
Glendora
1 year ago
AWS WAF web ACL will definitely help in enforcing this security measure.
upvoted 0 times
...
Lonna
1 year ago
I agree. It's important to ensure that only authenticated traffic reaches the backend services.
upvoted 0 times
...
Carissa
1 year ago
Exactly! Filtering out unauthenticated requests at the ALB level is crucial for security.
upvoted 0 times
...
Helga
1 year ago
Option C is the way to go. AWS WAF is like a bouncer for your backend services - only let the cool kids in.
upvoted 0 times
...
...
Fairy
1 year ago
Option A is the way to go. Integrating with the IdP is the security equivalent of turning it off and on again. Simple and effective!
upvoted 0 times
...
Pauline
1 year ago
Option D is a bit overkill. Analyzing CloudTrail logs and using a Lambda function to block unauthenticated users seems like a lot of work when there are simpler solutions.
upvoted 0 times
Jina
1 year ago
B: I agree, it's important to keep it simple and secure.
upvoted 0 times
...
Sharan
1 year ago
A: A sounds like the best option. Integrating the ALB with the IdP will ensure only authenticated users can access the backend services.
upvoted 0 times
...
...
Chantay
1 year ago
Option C looks promising. Using AWS WAF to filter out unauthenticated requests at the ALB level is a smart move.
upvoted 0 times
Ailene
1 year ago
Enabling AWS CloudTrail to log requests and using a Lambda function to block unauthenticated users could also be effective.
upvoted 0 times
...
Pearlene
1 year ago
Configuring the ALB to enforce authentication and authorization with the IdP seems like the best solution.
upvoted 0 times
...
Selma
1 year ago
I agree. It's important to only allow authenticated traffic to reach the backend services.
upvoted 0 times
...
Pa
1 year ago
Option C looks promising. Using AWS WAF to filter out unauthenticated requests at the ALB level is a smart move.
upvoted 0 times
...
...
Armando
1 year ago
I'm not sure about option C. Creating a web ACL to filter out unauthenticated requests seems like a good idea too.
upvoted 0 times
...
Dong
1 year ago
I agree with Arthur. Option A ensures that only authenticated users can access the backend services.
upvoted 0 times
...
Victor
1 year ago
I'm not sure about Option B. Allowing any request to access the backend services doesn't seem very secure, even with signed URLs.
upvoted 0 times
Kristine
1 year ago
C: Definitely, we can't risk allowing unauthenticated users to reach the backend services. Option A is the way to go.
upvoted 0 times
...
Keneth
1 year ago
B: I agree, Option A is the most secure option. We need to make sure only authenticated users have access.
upvoted 0 times
...
Nguyet
1 year ago
A: Option A seems like the best choice. Integrating the ALB with the IdP will ensure only authenticated users can access the backend services.
upvoted 0 times
...
...
Arthur
1 year ago
I think option A is the best solution. It integrates the ALB with the IdP to enforce authentication.
upvoted 0 times
...
Brandon
1 year ago
Option A seems like the way to go. Integrating the ALB with the IdP to enforce authentication is the most straightforward solution.
upvoted 0 times
Renato
1 year ago
Enabling AWS CloudTrail to log requests and using a Lambda function to block unauthenticated users seems like a more complex solution compared to option A.
upvoted 0 times
...
Isaac
1 year ago
Configuring the ALB to enforce authentication and authorization with the IdP is definitely the best approach.
upvoted 0 times
...
Nickolas
1 year ago
I agree, it's important to only allow authenticated users to access the backend services.
upvoted 0 times
...
Rhea
1 year ago
Option A seems like the way to go. Integrating the ALB with the IdP to enforce authentication is the most straightforward solution.
upvoted 0 times
...
...

Save Cancel