A company is operating a website using Amazon CloudFront. CloudFront serves some content…

Question

A company is operating a website using Amazon CloudFront. CloudFront serves some content from Amazon S3 and other content from web servers running on
Amazon EC2 instances behind an Application Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate
Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Choose three.)

Accepted Answer

Correct answer: C, E, F. C. Update the CloudFront distribution to redirect HTTP connections to HTTPS. — E. Update the ALB listener to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener. — F. Create a TLS certificate. Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS. — To enforce end-to-end encryption, client-to-CloudFront traffic must be secured by redirecting HTTP to HTTPS (C). CloudFront-to-ALB traffic is secured by placing the public ACM TLS certificate on the ALB and configuring CloudFront to communicate with the origin over HTTPS (E). Finally, ALB-to-EC2 traffic must be encrypted; since public ACM certificates cannot be exported to EC2 instances, a separate TLS certificate must be installed directly on the EC2 web servers, and the ALB must be configured to connect to the target group over HTTPS (F).

AWS Certified Security – Specialty — Question 283

Answer options

Correct answer: C, E, F

Explanation