AWS Certified Security – Specialty — Question 391

A company has two web applications that run on Amazon EC2 and Amazon S3. The applications failed an HTTP security audit, and users are reporting latency issues.

The applications need to deliver web content at low latencies while improving security and privacy for users and content providers. The company must implement a solution that does not require changes to the application code.

Which combination of actions should the company take to meet these requirements? (Choose two.)

Answer options

• A. Deploy Amazon API Gateway. Cache the endpoint’s responses.
• B. Configure Amazon API Gateway with a request parameter-based AWS Lambda authorizer to add HTTP security headers on origin responses.
• C. Write a Lambda@Edge function to add HTTP security headers on origin responses.
• D. Configure Amazon CloudFront. Create a distribution for the EC2 and S3 origins.
• E. Implement an Application Load Balancer (ALB) to honor the connection header from the incoming client request after forwarding the response back to the client.

Correct answer: C, D

Explanation

Amazon CloudFront (Option D) reduces latency for global users by caching content at edge locations and acts as a CDN for Amazon EC2 and Amazon S3 origins. To resolve the security audit failures without modifying the application code, a Lambda@Edge function (Option C) can be used to intercept origin responses and inject required HTTP security headers. Other options, like Amazon API Gateway or Application Load Balancer configurations, do not provide this combined capability of edge caching and header manipulation without code changes.