ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 303 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 303
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has a website with an Amazon CloudFront HTTPS distribution an Application Load Balancer (ALB) with multiple web instances for dynamic website content, and an Amazon S3 bucket for static website content. The company's security engineer recently updated the website security requirements:
✑ HTTPS needs to be enforced for all data in transit with specific ciphers.
✑ The CloudFront distribution needs to be accessible from the internet only.
Which solution will meet these requirements?

  • A. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers. Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
  • B. Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
  • C. Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges.
  • D. Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTP listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect to Amazon S3. Create a bucket policy to allow access from these proxies only.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by network_zeal at Jan. 3, 2022, 9:50 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
network_zeal
Highly Voted 3 years, 5 months ago
A, with https://aws.amazon.com/blogs/security/automatically-update-aws-waf-ip-sets-with-aws-ip-ranges/ to update CF ip range. B does not enforce cipher on s3 content.
upvoted 11 times
...
epomatti
Most Recent 1 year, 8 months ago
Selected Answer: A
Remember that you CANNOT configure specific ciphers for CloudFront. You must choose from a pre-defined policy set, and it only is available when using a custom certificate, not for the default one. Having said that, it looks like A is correct.
upvoted 2 times
...
Toptip
2 years ago
Selected Answer: A
A is the correct answer
upvoted 1 times
...
awsec2
2 years, 5 months ago
A This solution will enforce HTTPS for all data in transit with specific ciphers, as required. The S3 bucket policy with the aws:securetransport key will ensure that all data transferred between the bucket and CloudFront is encrypted. The CloudFront OAI will allow CloudFront to access the S3 bucket, and the ciphers can be configured in the CloudFront distribution. The ALB will be enforced with an HTTPS listener only, which will allow it to accept only encrypted traffic. AWS WAF can be used to allow access to the ALB only from the CloudFront IP ranges, ensuring that the CloudFront distribution is accessible from the internet only.
upvoted 1 times
...
barbodelli
2 years, 7 months ago
You have 2 delivery methods specified Internet -> Cloudfront -> ALB -> EC2 Internet -> Cloudfront -> S3 B only takes care of S3. In order to add OAI type function to ALB -> EC2. You also need to do the steps in A.
upvoted 2 times
...
QBB
2 years, 9 months ago
Selected Answer: A
A! https://aws.amazon.com/blogs/secujavascript:void(0)rity/automatically-update-aws-waf-ip-sets-with-aws-ip-ranges/
upvoted 1 times
...
francisco_guerra
2 years, 9 months ago
Answer is A check this: AWS publishes the IP ranges in JSON format for CloudFront and other AWS services. If your origin is an Elastic Load Balancer or an Amazon EC2 instance, you can use VPC security groups to allow only CloudFront IP ranges to access your applications. The IP ranges in the list are separated by service and Region, and you must specify only the IP ranges that correspond to CloudFront. https://aws.amazon.com/blogs/security/automatically-update-security-groups-for-amazon-cloudfront-ip-ranges-using-aws-lambda/
upvoted 1 times
...
YouYouYou
3 years, 4 months ago
you can do configure cloudfront to use a specific cipher in b as well which is a less complex solution and meets the requirements answer B is better
upvoted 3 times
...
argol
3 years, 5 months ago
Configure CloudFront to use specific ciphers "A" is the answer
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel