DVA-C01: AWS Certified Developer - Associate Exam | Cloudfront Encryption | SEO Optimization

Cloudfront Encryption

Prev Question Next Question

Question

You've developed an application that is going to be hosted on an EC2 Instance.

The company has decided to use Cloudfront to distribute the content.

The IT Security department has mandated that the traffic is encrypted between Cloudfront and the Viewer and Cloudfront and its origin.

How can you achieve this? Choose 2 answers from the options given below.

Answers

A. Ensure that HTTP is mapped to port 443 at the origin.

B. Ensure that KMS keys are used to encrypt the traffic.

C. Ensure that the Viewer Protocol policy is set to HTTPS only or Redirect HTTP to HTTPS.

D. Ensure that the Origin Protocol policy is set to HTTPS only.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C and D.

This is given in the AWS Documentation.

Since this is clearly given in the documentation, all other options are incorrect.

For more information on configuring HTTPS between the Viewer and Cloudfront and the Origin and Cloudfront, please refer to the below URLs-

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

To require HTTPS between viewers and CloudFront for one or more cache behaviors, perform the following procedure.
To configure CloudFront to require HTTPS between viewers and CloudFront
1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/.
2. In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
3. On the Behaviors tab, choose the cache behavior that you want to update, and then choose Edit.
4. Specify one of the following values for Viewer Protocol Policy:
Redirect HTTP to HTTPS:

Viewers can use both protocols. HTTP GET and HEAD requests are automatically redirected to HTTPS requests. CloudFront returns HTTP status code 301 (Moved
Permanently) along with the new HTTPS URL. The viewer then resubmits the request to CloudFront using the HTTPS URL.

Important

If you send POST, PUT, DELETE, OPTIONS, or PATCH over HTTP with an HTTP to HTTPS cache behavior and a request protocol version of HTTP 1.1 or
above, CloudFront redirects the request to a HTTPS location with a HTTP status code 307 (Temporary Redirect). This guarantees that the request is
sent again to the new location using the same method and body payload.

If you send POST, PUT, DELETE, OPTIONS, or PATCH requests over HTTP to HTTPS cache behavior with a request protocol version below HTTP 1.1,
CloudFront returns a HTTP status code 403 (Forbidden).

When a viewer makes an HTTP request that is redirected to an HTTPS request, CloudFront charges for both requests. For the HTTP request, the charge is only for
the request and for the headers that CloudFront returns to the viewer. For the HTTPS request, the charge is for the request, and for the headers and the object
that are returned by your origin.

HTTPS Only

To encrypt the traffic between CloudFront and the Viewer and CloudFront and its origin, you can follow these steps:

Ensure that the Viewer Protocol policy is set to HTTPS only or Redirect HTTP to HTTPS. The Viewer Protocol Policy specifies the protocols that CloudFront will use to communicate with viewers. By setting this policy to HTTPS only or redirecting HTTP to HTTPS, you will ensure that all traffic between the viewer and CloudFront is encrypted.
Ensure that the Origin Protocol policy is set to HTTPS only. The Origin Protocol Policy specifies the protocols that CloudFront will use to communicate with your origin. By setting this policy to HTTPS only, you will ensure that all traffic between CloudFront and your origin is encrypted.

So, by configuring the Viewer Protocol Policy to use HTTPS only or redirect HTTP to HTTPS and setting the Origin Protocol Policy to HTTPS only, you will ensure that all traffic between CloudFront and the viewer and between CloudFront and the origin is encrypted.

Option A is incorrect because HTTP cannot be mapped to port 443. Port 443 is used for HTTPS traffic.

Option B is also incorrect because KMS keys are not directly related to encrypting traffic between CloudFront and the viewer or CloudFront and its origin. KMS keys are used for data encryption at rest.

Therefore, the correct answers are C and D.

Prev Question Next Question