AWS Certified Developer – Associate — Question 435

The developer is creating a web application that collects highly regulated and confidential user data through a POST request. The web application is served through Amazon CloudFront. User names and phone numbers must be encrypted at the edge and must remain encrypted throughout the entire application stack.
What is the MOST secure way to meet these requirements?

Answer options

• A. Enforce Match Viewer with HTTPS Only on CloudFront.
• B. Use only the newest TLS security policy on CloudFront.
• C. Enforce a signed URL on CloudFront on the front end.
• D. Use field-level encryption on CloudFront.

Correct answer: D

Explanation

Amazon CloudFront field-level encryption allows you to securely upload user-submitted sensitive data and encrypt it at the edge using public keys, ensuring it remains encrypted throughout the entire application stack until it reaches the destination services that possess the corresponding private keys. Other options like enforcing HTTPS, updating TLS policies, or using signed URLs secure the communication channel or restrict access, but they do not keep specific data fields encrypted end-to-end within the application stack.