Protecting Origin for Exclusive CloudFront access: Best Practices

A customer wants to protect his origin server (ALB + EC2) of a CloudFront distribution, allowing it to receive only the traffic coming from the CloudFront distribution, and preventing it to be accessible by other sources that basically would bypass CloudFront. The customer might consider to use WAF.

The approaches we discussed are basically 3:

1. Given that the ALB has his Security Group (SG), use a Lambda function to update a SG rule that only allows requests coming from CloudFront Edge Locations service IP range. This IP range could be modified every time a new Edge Location is added/removed to the global Amazon PoPs. Therefore an SNS topic can be used in order to trigger the automatic editing of the rule in the SG (with the updated IP range), through the Lambda function. This is well described in this blog post;

2. Use the same setup of solution 1, with WAF between the CloudFront distribution and the ALB (users -> CF -> WAF -> ALB -> compute_service). The difference with solution 1 would be that instead of updating the ALB Security Group rule, the Lambda function would update WAF rules based on IP Set.

3. Just use WAF between the CloudFront Distribution (users -> CF -> WAF -> ALB -> compute_service), and configure CF such that it adds a custom secret header to origin requests in order to identify all the requests coming from CloudFront and set up WAF such that only allows requests with that specific custom header, denying all the other requests to the origin (ALB). There is an external blog post that actually uses this approach, but not actually well documented in AWS doc/blog as a possible use case.

My questions/doubts are:

1. Which of the following approaches do you think is the best option in terms of configuration effort/operational efficiency? My idea is that the 1st is the more old-fashion, even if it has the advantages of being cost-efficient (since no WAF is used and SGs are free) and well proofed. I would move towards the 3rd approach, if possible.

2. Regarding the 3rd approach, is it a best practice to use WAF just for this task (to only allow requests coming from CloudFront)? I know that WAF fits both with CloudFront and with ALB, but in the most part of architectural patterns I've seen so far, WAF is always in front of a CloudFront (users -> WAF -> CF -> ALB -> compute_service).

3. Regarding the 3rd approach, is it secure to use a custom header that is basically a constant string over time? Or should I disregard this, as at the end of the day we encrypt it through HTTPS?

Thanks for sharing your perspective on that.