AWS Certified Advanced Networking - Specialty Exam: Encrypting Traffic for EC2 Instance and CloudFront Web Distribution

Achieving Complete Encryption in Transit for EC2 Instance and CloudFront Web Distribution

Prev Question Next Question

Question

You have an EC2 Instance that will act as a custom origin for Cloudfront web distribution.

You need to ensure that traffic is encrypted completely in transit.

Which of the following step is part of the process to achieve this?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

The AWS Documentation clearly mentions the configuration for the Distribution in such a scenario.

Origin Protocol Policy.

Change the Origin Protocol Policy for the applicable origins in your distribution:

Match Viewer - CloudFront communicates with your custom origin using HTTP or HTTPS, depending on the protocol of the viewer request.

For example, if you choose Match Viewer for Origin Protocol Policy and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin.

Choose Match Viewer only if you specify Redirect HTTP to HTTPS or HTTPS Only for Viewer Protocol Policy.

CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.

Origin SSL Protocols.

Choose the Origin SSL Protocols for the applicable origins in your distribution.

The SSLv3 protocol is less secure, so we recommend that you choose SSLv3 only if your origin doesn't support TLSv1 or later.

Note.

The TLSv1 handshake is both backward and forward compatible with SSLv3, but TLSv1.1 and TLSv1.2 are not.

In this case, the OpenSSL only sends an SSLv3 handshake.

Option B is incorrect since the Viewer Protocol should not be HTTP.

Options C and D are incorrect since you cannot specify the traffic to flow in Cloudfront through an Amazon Virtual Private Network.

For more information on using HTTPS for a custom origin, please refer to the below URL.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

The correct answer is A. Configure the Viewer protocol policy as Redirect HTTP to HTTPS and Change the Origin Protocol Policy to Match Viewer.

Cloudfront is a content delivery network (CDN) provided by AWS, which enables faster content delivery by caching content at edge locations closer to the end-users. To ensure that traffic is encrypted completely in transit, we need to use HTTPS.

HTTPS (Hypertext Transfer Protocol Secure) is a protocol for secure communication over the internet, which combines HTTP with SSL/TLS encryption. SSL/TLS provides an encrypted tunnel between the client and server, protecting the confidentiality and integrity of the data transmitted.

In Cloudfront, there are two protocol policies to consider:

  1. Viewer Protocol Policy: This policy specifies which protocol Cloudfront should use to communicate with the end-users.

  2. Origin Protocol Policy: This policy specifies which protocol Cloudfront should use to communicate with the origin server (in this case, the EC2 Instance acting as a custom origin).

To ensure that traffic is encrypted completely in transit, we need to configure the Viewer protocol policy as Redirect HTTP to HTTPS. This means that if a user tries to access the content over HTTP, Cloudfront will redirect the user to HTTPS.

We also need to change the Origin Protocol Policy to Match Viewer. This means that Cloudfront will use HTTPS to communicate with the origin server, as specified by the Viewer protocol policy.

Option B is incorrect because it suggests using HTTP for the Viewer protocol policy, which is not secure. Even if an SSL certificate is installed on the EC2 Instance, the communication between Cloudfront and the EC2 Instance will not be secure.

Option C is incorrect because it suggests using the Amazon Virtual Private Network ( VPN) to ensure that traffic is encrypted. While VPN can provide a secure tunnel between the client and server, it is not necessary in this case because HTTPS is already providing the necessary encryption.

Option D is incorrect because it suggests using both Redirect HTTP to HTTPS and VPN, which is not necessary in this case.