AWS Certified SysOps Administrator – Associate — Question 459

A company is using Amazon CloudFront to serve static content for its web application to its users. The CloudFront distribution uses an existing on-premises website as a custom origin.
The company requires the use of TLS between CloudFront and the origin server. This configuration has worked as expected for several months. However, users are now experiencing HTTP 502 (Bad Gateway) errors when they view webpages that include content from the CloudFront distribution.
What should a SysOps administrator do to resolve this problem?

Answer options

• A. Examine the expiration date on the certificate on the origin site. Validate that the certificate has not expired. Replace the certificate if necessary.
• B. Examine the hostname on the certificate on the origin site. Validate that the hostname matches one of the hostnames on the CloudFront distribution. Replace the certificate if necessary.
• C. Examine the firewall rules that are associated with the origin server. Validate that port 443 is open for inbound traffic from the internet. Create an inbound rule if necessary.
• D. Examine the network ACL rules that are associated with the CloudFront distribution. Validate that port 443 is open for outbound traffic to the origin server. Create an outbound rule if necessary.

Correct answer: A

Explanation

An HTTP 502 (Bad Gateway) error occurs when CloudFront fails to establish a secure SSL/TLS handshake with the custom origin. Because the configuration was working perfectly for several months before failing, the most likely cause is that the SSL/TLS certificate on the origin server has expired. Verifying and replacing an expired certificate will restore the secure connection and resolve the error.