Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in how CloudFront’s Viewer and Origin Protocol Policies interact to secure data in transit while respecting application architecture. Keys here are understanding the distinction between how CloudFront communicates with end users versus how it talks to your backend origins, plus enforcing HTTPS for real data protection. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
Your team at NexGenTech has developed a dynamic web portal hosted on Amazon EC2 instances, fronted by an internet-facing Application Load Balancer (ALB). To improve global content delivery and reduce latency, you’ve been tasked to implement an Amazon CloudFront distribution that serves as a caching layer in front of the ALB. Since the portal handles sensitive customer data originating outside the VPC, it is critical to ensure that data in transit is encrypted end-to-end—from the users to CloudFront and from CloudFront to the ALB.
The Requirement: #
Configure CloudFront to meet the following conditions:
- Encrypt data sent by clients accessing the portal.
- Ensure encrypted communication between CloudFront and the ALB origin.
- Avoid unnecessary complexity and maintain scalability.
The Options #
- A) Restrict viewer access by using signed URLs.
- B) Set the Origin Protocol Policy setting to Match Viewer.
- C) Enable field-level encryption.
- D) Enable automatic object compression.
- E) Set the Viewer Protocol Policy setting to Redirect HTTP to HTTPS.
Google adsense #
leave a comment:
Correct Answer #
B) Set the Origin Protocol Policy setting to Match Viewer.
E) Set the Viewer Protocol Policy setting to Redirect HTTP to HTTPS.
Quick Insight: The Developer Imperative #
Ensuring end-to-end encryption requires CloudFront to enforce HTTPS requests from viewers and connect securely to the ALB origin. The Viewer Protocol Policy controls the client-CloudFront channel, and redirecting HTTP to HTTPS enforces encryption from users. The Origin Protocol Policy controls how CloudFront talks to the ALB—in this case, “Match Viewer” ensures CloudFront matches the incoming viewer request’s protocol. Combined, these options close the encryption gap.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
B) Set the Origin Protocol Policy setting to Match Viewer
E) Set the Viewer Protocol Policy setting to Redirect HTTP to HTTPS
The Winning Logic #
- Viewer Protocol Policy to Redirect HTTP to HTTPS: This setting ensures that any client requests using HTTP are automatically redirected to HTTPS, enforcing encryption from the end user to CloudFront. It prevents unencrypted requests, satisfying the first half of the encryption requirement.
- Origin Protocol Policy to Match Viewer: By configuring CloudFront to use the same protocol as the viewer request when connecting to the origin (the ALB), the data between CloudFront and the origin remains encrypted if the client used HTTPS. This is critical because simply enabling HTTPS at the viewer side doesn’t guarantee encryption to the origin without the matching origin protocol policy.
This combination guarantees an encrypted tunnel from the user all the way through to the backend ALB, complying with security best practices for sensitive data transmission.
The Trap (Distractor Analysis): #
- A) Restrict viewer access by using signed URLs: This option is related to access control, not transmission encryption, so it’s irrelevant to the encryption requirement.
- C) Enable field-level encryption: This protects specific data fields between the viewer and CloudFront by encrypting them client-side but is more complex and beyond the stated requirement, which is full transit encryption.
- D) Enable automatic object compression: This relates to performance optimization, not security or encryption.
The Technical Blueprint #
B) For Developer (Code/CLI Snippet): #
aws cloudfront create-distribution --distribution-config '{
"Origins": {
"Items": [
{
"Id": "ALBOrigin",
"DomainName": "my-alb-123456.us-east-1.elb.amazonaws.com",
"OriginProtocolPolicy": "match-viewer"
}
],
"Quantity": 1
},
"DefaultCacheBehavior": {
"TargetOriginId": "ALBOrigin",
"ViewerProtocolPolicy": "redirect-to-https",
"AllowedMethods": {
"Quantity": 3,
"Items": ["GET", "HEAD", "OPTIONS"]
},
...
},
...
}'
This CLI snippet shows key parameters configuring the CloudFront distribution with the critical OriginProtocolPolicy as match-viewer and ViewerProtocolPolicy as redirect-to-https.
The Comparative Analysis #
| Option | API Complexity | Performance Impact | Use Case / Security Relevance |
|---|---|---|---|
| A | Low | Neutral | Access control, no transit encryption |
| B | Low | Neutral | Ensures encrypted communication CloudFront→Origin |
| C | High | Potential overhead | Fine-grained field encryption, beyond transit |
| D | Low | Improves speed | Compression only; unrelated to encryption |
| E | Low | Neutral | Enforces HTTPS client requests to CloudFront |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick CloudFront ViewerProtocolPolicy: redirect-to-https when you see client encryption requirements.
Real World #
In production, you might adopt Origin Protocol Policy: HTTPS only instead of “Match Viewer” for stricter origin encryption enforcement, but “Match Viewer” perfectly balances flexibility and security when viewer requests vary.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.