AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 333

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.
A team will migrate the PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.
How should you configure CloudFront to meet this requirement?

Answer options

• A. Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin's Protocol Policy to 'Match Viewer'.
• B. Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.
• C. Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.
• D. Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.

Correct answer: C

Explanation

To satisfy PCI DSS requirements for secure data transmission, the CloudFront Cache Behavior must be configured to require HTTPS for client-to-edge communication. Forwarding requests to the origin via AWS Direct Connect ensures a secure, private network path that bypasses the public internet entirely. Other options either do not guarantee a private connection to the origin or rely on unsupported configurations like raw TCP pass-through without TLS termination at the edge.