Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in distinguishing how CloudFront handles HTTPS at both the viewer and origin levels. In production, this is about knowing exactly how to enforce encryption for both user traffic and backend communication, ensuring data security without breaking functionality. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechWave Inc., an e-commerce startup, uses Amazon CloudFront to serve its web application globally with low latency. Recently, the security team mandated that all traffic must be encrypted end-to-end: from the customers’ browsers to CloudFront, and from CloudFront to the application origin servers. TechWave wants to configure the CloudFront distribution to meet these encryption requirements without impacting performance or functionality.
The Requirement #
Ensure that:
- All user requests to CloudFront use HTTPS.
- All CloudFront requests to the origin web servers use HTTPS.
The Options #
- A) Use AWS KMS to encrypt traffic between CloudFront and the web application.
- B) Set the Origin Protocol Policy to “HTTPS Only”.
- C) Set the Origin’s HTTP Port to 443.
- D) Set the Viewer Protocol Policy to “HTTPS Only” or “Redirect HTTP to HTTPS”.
- E) Enable the CloudFront option Restrict Viewer Access.
Google adsense #
leave a comment:
Correct Answer #
B and D
Quick Insight: The Developer Imperative #
For DVA-C02: Understanding CloudFront’s “Viewer Protocol Policy” and “Origin Protocol Policy” settings is critical to enforce HTTPS on both legs of the request. Misconfiguring these results in unencrypted traffic, which can cause security issues and compliance failures.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
B and D
The Winning Logic #
-
Option B: Origin Protocol Policy = “HTTPS Only”
This setting makes CloudFront connect to the origin exclusively over HTTPS, ensuring encryption on the backend leg of the communication — from CloudFront to your web servers. If this is not set, CloudFront might use HTTP, exposing traffic internally. -
Option D: Viewer Protocol Policy = “HTTPS Only” or “Redirect HTTP to HTTPS”
This ensures that all user traffic to CloudFront is encrypted. “HTTPS Only” blocks HTTP requests outright; “Redirect HTTP to HTTPS” gracefully redirects users from HTTP URLs to HTTPS, improving the user experience while enforcing encryption.
The Trap (Distractor Analysis): #
-
Why not A?
AWS KMS is for encrypting data at rest or encrypting objects in S3; it does not encrypt HTTP traffic in transit. Using KMS here is a misunderstanding of encryption types. -
Why not C?
Port 443 is the standard HTTPS port, but setting the Origin’s HTTP port to 443 is nonsensical. CloudFront’s “Origin Protocol Policy” controls the protocol, not the manual port setting. -
Why not E?
“Restrict Viewer Access” is about controlling who can view content (signed URLs/cookies), not about enforcing HTTPS encryption.
The Technical Blueprint #
# AWS CLI to update a CloudFront distribution to enforce HTTPS on viewer and origin:
aws cloudfront update-distribution --id E123EXAMPLE123 \
--distribution-config file://distribution-config.json
# Inside distribution-config.json, example settings:
{
"Origins": {
"Items": [
{
"Id": "origin1",
"DomainName": "origin.example.com",
"OriginProtocolPolicy": "https-only"
}
]
},
"DefaultCacheBehavior": {
"ViewerProtocolPolicy": "redirect-to-https"
}
}
The Comparative Analysis #
| Option | API Complexity | Performance Impact | Use Case |
|---|---|---|---|
| A | Misapplied (KMS unrelated) | No impact on traffic | Incorrect use of encryption method |
| B | Simple config change | Ensures secure backend | Mandatory for origin encryption |
| C | Invalid parameter | No meaningful effect | Misunderstanding of port settings |
| D | Simple config change | Ensures secure user traffic | Mandatory for viewer encryption |
| E | Access control feature | No effect on encryption | Not related to traffic encryption |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick option combinations that explicitly configure both viewer and origin protocol policies when enforcing HTTPS.
Real World #
Many teams forget the origin leg, leaving backend HTTP traffic unencrypted, which can violate compliance. Setting CloudFront to enforce HTTPS at both ends is a security best practice.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.