Restrict Access to Web Server Content | AWS Certified Advanced Networking - Specialty | Exam Answer

Restricting Access to Web Server Content

Prev Question Next Question

Question

Your company currently has its application contents stored in S3 and hosts an application using AWS Cloudfront, which consists of NGINX web server hosted behind a load balancer.

You need to ensure that you restrict access to certain locations for the content hosted on the Web server.

How can you accomplish this?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

Such use case scenarios are given in the AWS Documentation.

Task list for restricting access to files in a CloudFront distribution based on geographic location.

Get an account with a geolocation service.

Upload your content to an Amazon Simple Storage Service (S3) bucket.

For more information, see the Amazon S3 documentation.

Configure Amazon CloudFront and Amazon S3 to serve private content.

For more information, see Serving Private Content with Signed URLs and Signed Cookies.

Write your web application to do the following:

Send the IP address for each user request to the geolocation service.

Evaluate the return value from the geolocation service to determine whether the user is in a location to which you want CloudFront to distribute your content.

Based on whether you want to distribute your content to the user's location, either generate a signed URL for your CloudFront content or return HTTP status code 403 (Forbidden) to the user.

Alternatively, you can configure CloudFront to return a custom error message.

For more information, see Creating a Custom Error Page for Specific HTTP Status Codes.

For more information, refer to the documentation for the geolocation service that you're using.

You can use a web server variable to get the IP addresses of the users who are visiting your website.

Note the following caveats:

If your web server is not connected to the internet through a load balancer, you can use a web server variable to get the remote IP address.

However, this IP address isn't always the user's IP address-it can also be the IP address of a proxy server, depending on how the user is connected to the internet.

If your web server is connected to the internet through a load balancer, a web server variable might contain the IP address of the load balancer, not the IP address of the user.

In this configuration, we recommend that you use the last IP address in the X-Forwarded-For HTTP header.

This header typically contains more than one IP address, most of which are for proxies or load balancers.

The last IP address in the list is the one most likely to be associated with the user's geographic location.

If your web server is not connected to a load balancer, we recommend that you use web server variables instead of the X-Forwarded-For header to avoid IP address spoofing.

Option A is invalid since the web server variable could have the IP of the proxy server.

Options B and D are invalid since the ELB would not be able to provide geo-level restrictions.

For more information on restricting access via Cloudfront, please refer to the below URL.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html

To restrict access to certain locations for the content hosted on the web server behind the load balancer, we can use Cloudfront geo-restrictions. CloudFront allows us to create access restrictions by specifying a list of countries or regions where we want to allow or deny access to the content. This can be achieved by creating a Geo Restriction Policy in the AWS Management Console.

Answer A is incorrect because it suggests using NGINX logs to restrict content via Cloudfront geo-restrictions. However, the NGINX logs do not contain location information that can be used to determine the geographic location of the request. Hence, this approach is not feasible.

Answer B is also incorrect because it suggests using ELB logs to create a blacklist for restrictions. However, this approach is not appropriate for restricting access to certain locations since it does not provide information about the geographic location of the request.

Answer C is the correct answer. It suggests using the IP addresses in the X-Forwarded-For HTTP header to determine the geographic location of the request and then restricting content via Cloudfront geo-restrictions. The X-Forwarded-For HTTP header contains the IP address of the client that originated the request. By examining this header, we can determine the geographic location of the request and then use that information to create a geo-restriction policy in CloudFront.

Answer D is incorrect because it suggests using the ELB itself to restrict content via geo-restrictions. However, the ELB does not provide information about the geographic location of the request and hence, this approach is not feasible.