ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 301 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 301
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is operating a website using Amazon CloudFront. CloudFront serves some content from Amazon S3 and other content from web servers running on
Amazon EC2 instances behind an Application Load Balancer (ALB). Amazon DynamoDB is used as the data store. The company already uses AWS Certificate
Manager (ACM) to store a public TLS certificate that can optionally secure connections between the website users and CloudFront. The company has a new requirement to enforce end-to-end encryption in transit.
Which combination of steps should the company take to meet this requirement? (Choose three.)

  • A. Update the CloudFront distribution, configuring it to optionally use HTTPS when connecting to origins on Amazon S3.
  • B. Update the web application configuration on the web servers to use HTTPS instead of HTTPS when connecting to DynamoDB.
  • C. Update the CloudFront distribution to redirect HTTP connections to HTTPS.
  • D. Configure the web servers on the EC2 instances to listen using HTTPS using the public ACM TLS certificate. Update the ALB to connect to the target group using HTTPS.
  • E. Update the ALB listener to listen using HTTPS using the public ACM TLS certificate. Update the CloudFront distribution to connect to the HTTPS listener.
  • F. Create a TLS certificate. Configure the web servers on the EC2 instances to use HTTPS only with that certificate. Update the ALB to connect to the target group using HTTPS.
Show Suggested Answer Hide Answer
Suggested Answer: CEF 🗳️
by argol at Jan. 4, 2022, 11:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
f4bi4n
Highly Voted 3 years, 2 months ago
Selected Answer: CEF
its CEF - B doesen't makes sence, DDB is always HTTPS - the requirement is end to end encryption. In the text is written that HTTPS is optionally on Cloudfront, so C
upvoted 13 times
cloud_collector
2 years, 9 months ago
Yes , B is default using HTTPS Data in transit: All your data in DynamoDB is encrypted in transit (except the data in DAX). By default, communications to and from DynamoDB use the HTTPS protocol, which protects network traffic by using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.usagenotes.html
upvoted 1 times
kujin
2 years, 4 months ago
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionInTransit.html
upvoted 1 times
...
...
...
argol
Highly Voted 3 years, 6 months ago
Ans : BCF CF -> ALB -> EC2 servers -> Dynamo CF to ALB ALB to EC2 servers
upvoted 7 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: CEF
Going with CEF.
upvoted 1 times
Raphaello
1 year, 4 months ago
Important note: You can’t use a self-signed certificate for HTTPS communication between CloudFront and your origin. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html#using-https-cloudfront-to-origin-certificate
upvoted 1 times
...
...
Toptip
2 years, 1 month ago
Selected Answer: CEF
B doesn't make sense at all... The question ask for End to End TLS between the users and CloudFront.. A vs C: I think C is better to redirect HTTP to HTTPS otherwise the users will see 404 page if they opened the HTTP page by mistake
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
The question states that we need to configure end to end TLS encryption. Therefore the ALB need a public certificate and the web servers running on EC2 instances need to be configured to use HTTPS which also requires a certificate. Also Cloudfront needs to be configured to redirect HTTP to HTTPS.
upvoted 1 times
...
peddyua
2 years, 3 months ago
Selected Answer: CEF
the key is "enforce end-to-end encryption in transit" this means A is out, since ALL communications MUST be ENFORCED to encryprt traffic this leaves the following choices: C. to harden security on CF by encrypting all 100% of communications (redirect HTTP to HTTPS, pretty common practice) E. Encrypt communication between CF and ALB as question says "...that can optionally secure connections between the website users and CloudFront" which means we need to further improve connection so all 100% of connections are encrypted. F. Securing END to END from ALB to EC2.
upvoted 1 times
...
awsec2
2 years, 6 months ago
cde , Option A is not necessary because it only applies to content served from Amazon S3, which is not part of the end-to-end encryption requirement. Option B is not necessary because the data store is not part of the end-to-end encryption requirement. Option F is not necessary because the company already has a TLS certificate stored in ACM that can be used for this purpose.
upvoted 3 times
...
RameshAWS
2 years, 6 months ago
C, E, F
upvoted 1 times
...
[Removed]
2 years, 6 months ago
CDE (if you are using the Apache HTTP Server, you can follow these steps: Download the ACM certificate and the private key from ACM. Copy the certificate and private key files to your EC2 instance. Update the Apache HTTP Server configuration to use the certificate and private key. Restart the Apache HTTP Server to apply the changes.)
upvoted 1 times
...
vikaswalajay
2 years, 9 months ago
AEF C is wrong- redirect http to https because user may use http at first before https redirection so end to end matters here.. B is wrong because Ddb only works on https, D is wrong because web server can't use ACM, have to use CA certificate
upvoted 2 times
...
sapien45
2 years, 10 months ago
Selected Answer: CEF
A : optionally having HTTPS is problematic B: DynamoDB is always HTTPS
upvoted 2 times
...
CW0106
2 years, 10 months ago
Selected Answer: AEF
https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html DDB uses https by default. No B https://docs.aws.amazon.com/zh_cn/AmazonCloudFront/latest/DeveloperGuide/using-https.html A is correct
upvoted 2 times
...
Rja148393
2 years, 11 months ago
Selected Answer: AEF
A needs to be considered since we are not considering the S3 for end-to-end comm https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html . AEF for me
upvoted 2 times
...
anirudh1989
3 years ago
so what is the correct answer to this question?
upvoted 1 times
...
tuananhngo
3 years ago
BCE. Not BCF. F is wrong because you can not Configure the web servers on the EC2 instances to use HTTPS only with that certificate and its very similar to D.
upvoted 1 times
...
ideoignus
3 years, 5 months ago
B, E, F
upvoted 2 times
...
AliS2020
3 years, 5 months ago
I aggress with NSF2 there must be a typo so it would be BC but now is it E or F. If we think about End to End encryption and leveraging Cloud Front then we should choose Cloud Front. So it will be BCE. Any thoughts ?
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel