AWS Certified Advanced Networking - Specialty (#43)

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application’s origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin’s Application Load Balancer to accept only traffic that contains that header.
Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.