AWS Certified SysOps Administrator – Associate — Question 296

A company is building a web application on AWS. The company is using Amazon CloudFront with a domain name of www.example.com. All traffic to CloudFront must be encrypted in transit. The company already has provisioned an SSL certificate for www.example.com in AWS Certificate Manager (ACM).

Which combination of steps should a SysOps administrator take to encrypt the traffic in transit? (Choose two.)

Answer options

• A. For each cache behavior in the CloudFront distribution, modify the Viewer Protocol Policy setting to redirect HTTP to HTTPS.
• B. For each cache behavior in the CloudFront distribution, modify the Viewer Protocol Policy setting to allow HTTP and HTTPS.
• C. Enter the alternate domain name (CNAME) of www.example.com for the CloudFront distribution. Select the custom SSL certificate.
• D. Configure an AWS WAF web ACL for the CloudFront distribution.
• E. Configure CloudFront Origin Shield for the CloudFront origin.

Correct answer: A, C

Explanation

To enforce transit encryption for a custom domain on Amazon CloudFront, you must associate the custom domain (CNAME) and its ACM SSL certificate with the CloudFront distribution. Additionally, configuring the Viewer Protocol Policy to redirect HTTP to HTTPS ensures all unencrypted requests are securely upgraded to HTTPS. Allowing both HTTP and HTTPS does not enforce encryption, while AWS WAF and Origin Shield do not address SSL/TLS configuration for the viewer-facing domain.