🔥 3-day streak
AWS Certified Security - Specialty7 / 157
Question 7 of 157

A retail company serves its web application through Amazon CloudFront with an Application Load Balancer (ALB) origin. AWS WAF is associated with the CloudFront distribution to filter malicious requests. During a security review, the team discovers that attackers are bypassing CloudFront by sending requests directly to the ALB's public DNS name, avoiding the WAF rules entirely. The ALB must remain internet-facing to support the CloudFront integration. Which combination of controls MOST effectively ensures that only CloudFront-originated traffic reaches the ALB?

Reviewed for accuracy · Report an issueNext question