Exam AWS Certified Security - Specialty topic 1 question 138 discussion

DE is correct https://aws.amazon.com/premiumsupport/knowledge-center/custom-ssl-certificate-cloudfront/

DE to me

DE....

https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html The above link is too sweet to ignore for this question

The best answer is DE.

CD CloudFront can use an SSL/TLS certificate stored in AWS Certificate Manager (ACM) or a custom SSL/TLS certificate. When using a custom SSL/TLS certificate, you must import the certificate, private key, and certificate chain into ACM or IAM. To ensure that the certificate is available in the CloudFront console, it should be imported in the us-east-1 (N. Virginia) Region, and the certificate, private key, and certificate chain must be PKCS #12-encoded. Option A is incorrect because UploadServerCertificate is not a valid API action for importing a certificate to ACM. Option B is incorrect because there is no requirement to use a specific size for the RSA public key. Option E is incorrect because PEM encoding is not required for importing a certificate to ACM.

D&E are correct. It's about the custom domain. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-getting-certificates

Whenever you import a cert to ACM regardless of which service you want to use it with: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html

https://aws.amazon.com/premiumsupport/knowledge-center/custom-ssl-certificate-cloudfront/ To assign an ACM certificate to a CloudFront distribution, you must request or import the certificate in the US East (N. Virginia) Region. If you're using the ACM console, check the Region selector in the navigation bar. Confirm that US East (N. Virginia) is selected before you request or import the certificate. aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/

D: https://aws.amazon.com/premiumsupport/knowledge-center/custom-ssl-certificate-cloudfront/ “ To assign an ACM certificate to a CloudFront distribution, you must request or import the certificate in the US East (N. Virginia) Region. “ E: https://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html “ The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.

Answer is D & E. Private Key is .pem encoded aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/ Also ensure that certificate in imported from us-east North VA https://aws.amazon.com/premiumsupport/knowledge-center/custom-ssl-certificate-cloudfront

Answer: DE Duplicated with Q22 Topic2

Some people are seriously just not thinking at all. A. Nope. B. Really? Go and read the AWS ACM pre-req's. C. Nope. D. Yes. AWS limitation. E. Yes. ACM pre-req's documentation literally has this wording on the site. Answer is DE. Took all of 5 minutes to confirm all of this.

D, E for sure

DE looks fine

can't be B, cloudfront supports max of 2048 bit

Answer: A D