Question #912
A developer is configuring an Amazon CloudFront distribution in front of an internet-facing Application Load Balancer (ALB) serving a web application on EC2 instances. The developer needs to ensure that all data transmitted between users and the application is encrypted in transit.
Which two CloudFront settings must be configured to meet this requirement? (Choose two.)
Implement signed URLs for content access.
Set the origin protocol policy to Match Viewer.
Enable field-level encryption for sensitive data.
Configure the distribution to compress content.
Enforce HTTPS by redirecting HTTP traffic to HTTPS.
Explanation
The correct answers are B and E.
Why B (Set origin protocol policy to Match Viewer): This ensures CloudFront uses HTTPS when communicating with the ALB if the viewer (user) uses HTTPS. Since E enforces HTTPS for all user traffic, CloudFront will always use HTTPS to the origin, encrypting data between CloudFront and the ALB.
Why E (Enforce HTTPS redirect): Redirecting HTTP to HTTPS ensures all user-to-CloudFront traffic is encrypted.
Why others are incorrect:
- A: Signed URLs control access but don't enforce encryption.
- C: Field-level encryption protects specific data fields but doesn't ensure full transport encryption.
- D: Compression optimizes data transfer but isn't related to encryption.
Key Points:
1. Use HTTPS enforcement (E) for user-to-CloudFront encryption.
2. Set origin protocol to Match Viewer (B) to ensure CloudFront-to-ALB encryption when combined with HTTPS enforcement.
Answer
The correct answer is: BE