Question #590
A developer is setting up an application with an Amazon API Gateway REST API in the eu-west-1 Region. They plan to use Amazon CloudFront and a custom domain name, using an SSL/TLS certificate obtained from a third-party provider. How should they configure the custom domain?
Import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the same Region as the API. Create a DNS A record for the custom domain.
Import the SSL/TLS certificate into CloudFront. Create a DNS CNAME record for the custom domain.
Import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the same Region as the API. Create a DNS CNAME record for the custom domain.
Import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the us-east-1 Region. Create a DNS CNAME record for the custom domain.
Explanation
When using Amazon CloudFront with a custom domain and a third-party SSL/TLS certificate, the certificate must be imported into AWS Certificate Manager (ACM) in the us-east-1 Region. This is a strict requirement for CloudFront, as it is a global service and only recognizes certificates stored in us-east-1. The DNS configuration requires a CNAME record (or an Alias record in Route 53) pointing to the CloudFront distribution's domain name (e.g., d123.cloudfront.net).
Why other options are incorrect:
- A: Certificates must be in us-east-1 for CloudFront, not the same Region as the API. A records are typically used for IP addresses, not CloudFront.
- B: CloudFront does not support third-party certificates directly; they must be imported into ACM first.
- C: The certificate must be in us-east-1, not the same Region as the API.
Key Points:
1. CloudFront requires SSL/TLS certificates to be in us-east-1.
2. Use CNAME/Alias DNS records for CloudFront domains.
3. Third-party certificates must be imported into ACM, not uploaded directly to CloudFront.
Answer
The correct answer is: D