AWS Certified Developer – Associate (DVA-C02) — Question 346
A developer is writing a web application that is deployed on Amazon EC2 instances behind an internet-facing Application Load Balancer (ALB). The developer must add an Amazon CloudFront distribution in front of the ALB. The developer also must ensure that customer data from outside the VPC is encrypted in transit.
Which combination of CloudFront configuration settings should the developer use to meet these requirements? (Choose two.)
Answer options
- A. Restrict viewer access by using signed URLs.
- B. Set the Origin Protocol Policy setting to Match Viewer.
- C. Enable field-level encryption.
- D. Enable automatic object compression.
- E. Set the Viewer Protocol Policy setting to Redirect HTTP to HTTPS.
Correct answer: B, E
Explanation
To enforce encryption in transit from the client to CloudFront, the Viewer Protocol Policy must be configured to Redirect HTTP to HTTPS. To maintain encryption from CloudFront to the ALB origin, the Origin Protocol Policy must be set to Match Viewer, ensuring HTTPS is used for both legs of the transit. Other options like signed URLs or field-level encryption do not address transport-level encryption for all transit data.