Learn how to configure CloudFront to enforce HTTPS traffic encryption and use a custom SSL certificate from AWS Certificate Manager for a secure, end-to-end encrypted connection.
Table of Contents
Question
A company is building a web application on AWS. The company is using Amazon CloudFront with a domain name of www.example.com. All traffic to CloudFront must be encrypted in transit. The company already has provisioned an SSL certificate for www.example.com in AWS Certificate Manager (ACM).
Which combination of steps should a SysOps administrator take to encrypt the traffic in transit? (Choose two.)
A. For each cache behavior in the CloudFront distribution, modify the Viewer Protocol Policy setting to redirect HTTP to HTTPS.
B. For each cache behavior in the CloudFront distribution, modify the Viewer Protocol Policy setting to allow HTTP and HTTPS.
C. Enter the alternate domain name (CNAME) of www.example.com for the CloudFront distribution. Select the custom SSL certificate.
D. Configure an AWS WAF web ACL for the CloudFront distribution.
E. Configure CloudFront Origin Shield for the CloudFront origin.
Answer
A. For each cache behavior in the CloudFront distribution, modify the Viewer Protocol Policy setting to redirect HTTP to HTTPS.
C. Enter the alternate domain name (CNAME) of www.example.com for the CloudFront distribution. Select the custom SSL certificate.
Explanation
A. Modifying the Viewer Protocol Policy setting to redirect HTTP to HTTPS ensures that all incoming traffic to the CloudFront distribution is redirected from unencrypted HTTP to encrypted HTTPS. This enforces end-to-end encryption for the viewer’s connection to CloudFront.
C. Entering the alternate domain name (CNAME) of www.example.com for the CloudFront distribution and selecting the custom SSL certificate provisioned in AWS Certificate Manager (ACM) allows CloudFront to use the provided SSL certificate to terminate the HTTPS connection and serve the content securely.
By implementing these steps, all traffic to the CloudFront distribution will be encrypted in transit, as requested by the company’s requirements.
The incorrect options are:
B. Modifying the Viewer Protocol Policy setting to allow both HTTP and HTTPS is not recommended, as it would allow unencrypted traffic, which is against the company’s requirement for encrypted traffic.
D. Configuring an AWS WAF web ACL is not necessary for encrypting traffic in transit. AWS WAF is used for web application firewall rules and protection against common web exploits.
E. Configuring CloudFront Origin Shield is not required for encrypting traffic in transit. Origin Shield is an optional service that helps protect the origin from web application layer attacks.
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.