Update Security Groups for ELB to Allow Valid AWS CloudFront IP Pool | AWS Exam Preparation

Update Security Groups

Prev Question Next Question

Question

A global IT firm has deployed the company's website on EC2 instance behind ELB.

AWS CloudFront is configured with origin as ELB to serve all web content with the lowest latency to global partners.

A Security Group is configured on ELB to ensure only AWS CloudFront IP ranges can access ELB & web content hosted on EC2 instance.

Recently there were changes in AWS CloudFront IP ranges that were not allowed in Security Groups impacting partner access to the website.

Which of the following tasks can be executed with minimum efforts & cost to update Security Groups attached to ELB to allow only valid AWS CloudFront IP Pool associated with Security Groups?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - C.

When an AWS CloudFront IP ranges are updated, an AWS SNS topic is generated.

To automatically update Security Groups attached to ELB, a Lambda function can be created which is triggered for AWS SNS topic & in turn update Security Groups to only allow those updated IP ranges to access origin ELB.

This is cost-effective as the Lambda function is triggered only when an AWS SNS topic for AWS IP range changes is added.

Option A is incorrect as this will not proactively update IP pool changes in Security Groups.

Options B & D are incorrect as this will need to modify Security Groups manually each time there is a change in AWS CloudFront IP ranges.

For more information on updating Security Groups automatically, refer to the following URL.

https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/

The scenario described in the question involves a global IT firm that has deployed its website on an EC2 instance behind an ELB. AWS CloudFront is configured with the origin as the ELB to serve all web content with the lowest latency to global partners. A security group is configured on the ELB to ensure that only AWS CloudFront IP ranges can access the ELB and the web content hosted on the EC2 instance.

The question asks which of the following tasks can be executed with minimum efforts and cost to update the security groups attached to the ELB to allow only valid AWS CloudFront IP pool associated with security groups, after changes in AWS CloudFront IP ranges have occurred that were not allowed in security groups, impacting partner access to the website.

Option A suggests creating a Lambda function based upon VPC flow logs, which will automatically check if any IP ranges apart from CloudFront IP pools are reaching ELB and modify security groups automatically. This option involves using Lambda, which is a serverless compute service that allows you to run code without provisioning or managing servers. The VPC flow logs contain information about the IP traffic going to and from network interfaces in a VPC, including the ELB. By analyzing the VPC flow logs, the Lambda function can determine if any IP ranges other than the CloudFront IP pools are reaching the ELB and can modify the security groups accordingly. This option can be an effective and low-cost solution to update security groups automatically when changes occur in the AWS CloudFront IP ranges.

Option B suggests creating a cron job to poll VPC flow logs, which will check if any IP ranges apart from CloudFront IP pools are reaching ELB and modify security groups accordingly. A cron job is a time-based scheduler in Unix-based operating systems that allows you to run scripts or commands at specified intervals. This option involves setting up a cron job to periodically check the VPC flow logs and modify the security groups if necessary. While this option is relatively easy to implement, it may not be as efficient or cost-effective as using a Lambda function.

Option C suggests creating a Lambda function based upon an AWS SNS trigger for changes in AWS CloudFront IP ranges to update security groups attached to ELB automatically. SNS is a pub/sub messaging service that allows you to send messages to multiple subscribers or endpoints. This option involves using SNS to trigger a Lambda function when changes occur in the AWS CloudFront IP ranges, which can then update the security groups attached to the ELB. This option can be an effective and low-cost solution, but it may require more setup and configuration than Option A.

Option D suggests creating a cron job to poll CloudFront IP ranges to verify any changes and manually modify security groups attached to ELB if any change in IP ranges. This option involves setting up a cron job to periodically check the CloudFront IP ranges and manually modify the security groups if necessary. This option is the least efficient and most error-prone solution since it requires manual intervention to update the security groups.

In conclusion, Option A is the best solution to update the security groups attached to the ELB automatically when changes occur in the AWS CloudFront IP ranges with minimum efforts and cost. This option involves using Lambda and VPC flow logs to analyze the IP traffic and modify the security groups accordingly. Option C can also be a viable solution but may require more setup and configuration than Option A. Option B is less efficient than Option A and Option C, and Option D is the least efficient and most error-prone solution.