Question #1191
A solutions architect is designing an Amazon CloudFront distribution for a compliance-sensitive application. The application already uses HTTPS, but regulatory requirements mandate that specific user data fields must remain encrypted at all stages of processing. Additionally, decryption should only be possible by authorized backend services. Which configuration should the solutions architect implement to meet these requirements?
Use CloudFront signed URLs to restrict access to sensitive data.
Implement CloudFront signed cookies to authenticate users.
Enable CloudFront field-level encryption for the specified data fields.
Set the Origin Protocol Policy to HTTPS Only and enforce strict TLS versions.
Explanation
Option C is correct because CloudFront field-level encryption encrypts specific data fields at the edge before forwarding requests to the origin. This ensures the fields remain encrypted during transit and at rest, decryptable only by backend services with the private key.
- Why not A/B: Signed URLs/cookies control access but do not encrypt data fields. Data is decrypted at the origin, violating the 'encrypted at all stages' requirement.
- Why not D: Enforcing HTTPS/TLS secures data in transit but does not protect specific fields after decryption at the origin.
Key Points: Field-level encryption is designed for end-to-end encryption of sensitive data fields, aligning with strict compliance needs where data must stay encrypted until processed by authorized systems.
Answer
The correct answer is: C