A. Create an AWS WAF web ACL. Associate the web ACL with the CloudFront distribution. Create rules for each type of traffic that the company wants to block.
B. Create new ALB listener rules on the existing listeners. Configure the new rules to allow or reject incoming traffic based on whether the host header matches the CloudFront fully qualified domain name (FQDN).
C. Create an AWS PrivateLink endpoint service for the ALB Configure the endpoint service to allow requests from CloudFront. Update the web application origin in CloudFront to use the newly created endpoint service’s DNS name.
D. Create a CloudFront origin access identity (OAI) for the web application. Update the web application origin in CloudFront to use the OAI Update the ALB rules to check for the OAI and return an HTTP 403 error if the OAI header is not present.
E. Create an AWS Firewall Manager security policy. Attach the security policy to the CloudFront distribution. Use the security policy to attach AWS WAF rule groups for each type of traffic that the company wants to block.