Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C03 Exam - Topic 1 Question 12 Discussion

A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.Which solution will meet this requirement?
B) Inspect the X-Forwarded-For header in the AWS WAF logs to determine the original client IP addresses.
A) Enable VPC Flow Logs in the VPC where the ALB is deployed. Examine the source field to capture the client IP addresses.
C) Modify the CloudFront distribution to disable ALB connection reuse. Examine the clientIp field in the AWS WAF logs to identify the original client IP addresses.
D) Configure CloudFront to add a custom header named Client-IP to origin requests that are sent to the ALB.

Amazon SCS-C03 Exam - Topic 1 Question 12 Discussion

Actual exam question for Amazon's SCS-C03 exam
Question #: 12
Topic #: 1
[All SCS-C03 Questions]

A security engineer for a company is investigating suspicious traffic on a web application in the AWS Cloud. The web application is protected by an Application Load Balancer (ALB) behind an Amazon CloudFront distribution. There is an AWS WAF web ACL associated with the ALB. The company stores AWS WAF logs in an Amazon S3 bucket.

The engineer notices that all incoming requests in the AWS WAF logs originate from a small number of IP addresses that correspond to CloudFront edge locations. The security engineer must identify the source IP addresses of the clients that are initiating the suspicious requests.

Which solution will meet this requirement?

Show Suggested Answer Hide Answer
Suggested Answer: B

When Amazon CloudFront is used in front of an Application Load Balancer, CloudFront becomes the immediate source of incoming requests to the ALB. As a result, AWS WAF logs record theCloudFront edge location IP addressesas the client IPs, not the original viewer IP addresses. This behavior is explicitly documented in the AWS Certified Security -- Specialty Study Guide and the AWS WAF and CloudFront integration documentation.

To preserve the original client IP address, CloudFront automatically adds theX-Forwarded-For HTTP header, which contains the IP address of the originating client followed by any proxy addresses involved in forwarding the request. AWS WAF logs include this header, making it the authoritative source for identifying true client IP addresses when CloudFront is used.

Option A is incorrect because VPC Flow Logs capture network-level metadata and will only show CloudFront IP addresses, not the original client IPs. Option C is incorrect because disabling connection reuse does not change how client IPs are logged in AWS WAF. Option D is unnecessary and unsupported as a requirement because CloudFront already provides the required information through standard headers.

AWS documentation consistently states thatX-Forwarded-Foris the correct and supported mechanism for tracing client IPs in CloudFront-protected applications.

AWS Certified Security -- Specialty Official Study Guide

AWS WAF Developer Guide -- Logging

Amazon CloudFront Developer Guide -- Request Headers


by In at Jun 18, 2026, 10:08 PM

Limited Time Offer

25%

Off

Get Premium SCS-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel

Currently there are no comments in this discussion, be the first to comment!


Save Cancel