Question #706
An organization is using Amazon CloudFront to distribute a global API, requiring all traffic between users and CloudFront, and between CloudFront and the origin server, to be encrypted. How can these requirements be met? (Choose two.)
Set the Origin's HTTP Port to 443.
Use AWS Secrets Manager to encrypt traffic between CloudFront and the origin server.
Set the Origin Protocol Policy to 'HTTPS Only'.
Set the Viewer Protocol Policy to 'HTTPS Only' or 'Redirect HTTP to HTTPS'.
Enable the CloudFront option to enforce secure TLS versions.
Explanation
The correct answers are B and D.
Why B and D are correct:
- B: Setting the Origin Protocol Policy to 'HTTPS Only' ensures that CloudFront communicates with the origin server exclusively over HTTPS, encrypting traffic between CloudFront and the origin.
- D: Setting the Viewer Protocol Policy to 'HTTPS Only' or 'Redirect HTTP to HTTPS' ensures all user-to-CloudFront traffic is encrypted via HTTPS.
Why other options are incorrect:
- A: AWS Secrets Manager manages credentials/secrets, not traffic encryption.
- C: While port 443 is the default HTTPS port, setting the HTTP port alone does not enforce HTTPS; the protocol policy (B) is required.
- E: Enforcing TLS versions improves security but does not address the encryption requirement between endpoints.
Key Points:
- Use Viewer Protocol Policy to enforce HTTPS for user-to-CloudFront traffic.
- Use Origin Protocol Policy to enforce HTTPS for CloudFront-to-origin traffic.
Answer
The correct answer is: BD