A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

A $.$ Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known$-$client IPs are able to access the application.

B $.$ Con$$gure CloudFront to use a custom header and con$$gure an AWS WAF rule on the origin's Application Load Balancer to accept only tra$$c that contains that header.

C $.$ Con$$gure an AWS Lambda@Edge function to validate that the tra$$c to the Application Load Balancer originates from CloudFront.

D $.$ Attach an origin access identity to the CloudFront origin that allows tra$$c to the origin that originates from only CloudFront.