Your website utilizes EC2, S3, ELB-Classic, and CloudFront. How can you implement the right security measures for this configuration? Choose 2 answers from the options given below

Answer options:

A.An NACL that blocks all ports to your subnets.
B.A restricted bucket policy on S3
C.A WAF on your CloudFront distribution.
D.A WAF on the load balancer.

Answer - B and C
The NACL would not be the right approach to block all ports , because then the application hosted on the instances in the subnet might not work with this approach.
WAF are supported on the Application Load Balancer and not the classic load balancer
For more information on the web application firewall please refer to the below URL:
https://aws.amazon.com/waf/faq/
For more information on bucket policies please refer to the below URL:
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html