Your company currently has its application contents stored in S3 and hosts an application using AWS Cloudfront, which consists of NGINX web server hosted behind a load balancer. You need to ensure that you restrict access to certain locations for the content hosted on the Web server. How can you accomplish this?

Answer options:

A.Use the NGINX logs to get the web server variable and then use the IP address to restrict content via Cloudfront geo-restrictions.
B.Use the ELB logs to create a blacklist for restrictions.
C.Use the IP addresses in the X-Forwarded-For HTTP header and then restrict content via Cloudfront geo-restrictions.
D.Use the ELB itself to restrict content via geo-restrictions.

Answer – C
Such use case scenarios are given in the AWS Documentation.
Task list for restricting access to files in a CloudFront distribution based on geographic location
Get an account with a geolocation service.
Upload your content to an Amazon Simple Storage Service (S3) bucket. For more information, see the Amazon S3 documentation.
Configure Amazon CloudFront and Amazon S3 to serve private content. For more information, see Serving Private Content with Signed URLs and Signed Cookies.
Write your web application to do the following:
Send the IP address for each user request to the geolocation service.
Evaluate the return value from the geolocation service to determine whether the user is in a location to which you want CloudFront to distribute your content.
Based on whether you want to distribute your content to the user`s location, either generate a signed URL for your CloudFront content or return HTTP status code 403 (Forbidden) to the user. Alternatively, you can configure CloudFront to return a custom error message. For more information, see Creating a Custom Error Page for Specific HTTP Status Codes.
For more information, refer to the documentation for the geolocation service that you`re using.
You can use a web server variable to get the IP addresses of the users who are visiting your website. Note the following caveats:
If your web server is not connected to the internet through a load balancer, you can use a web server variable to get the remote IP address. However, this IP address isn`t always the user`s IP address—it can also be the IP address of a proxy server, depending on how the user is connected to the internet.
If your web server is connected to the internet through a load balancer, a web server variable might contain the IP address of the load balancer, not the IP address of the user. In this configuration, we recommend that you use the last IP address in the X-Forwarded-For HTTP header. This header typically contains more than one IP address, most of which are for proxies or load balancers. The last IP address in the list is the one most likely to be associated with the user`s geographic location.
If your web server is not connected to a load balancer, we recommend that you use web server variables instead of the X-Forwarded-For header to avoid IP address spoofing.
Option A is invalid since the web server variable could have the IP of the proxy server.
Options B and D are invalid since the ELB would not be able to provide geo-level restrictions.
For more information on restricting access via Cloudfront, please refer to the below URL
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html