Amazon ANS-C01 Exam - Topic 1 Question 2 Discussion

Actual exam question for Amazon's ANS-C01 exam

Question #: 2
Topic #: 1

A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.

The company's security policy requires the traffic to be encrypted in transit at all times between the users and the backend.

Which combination of changes must the company make to meet this security requirement? (Choose three.)

ACreate a self-signed certificate for service.example.com. Import the certificate into AWS Certificate Manager (ACM). Configure CloudFront to use this imported SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.

BCreate a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.

CCreate a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.

DCreate a public certificate from a third-party certificate provider with any domain name for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.

ECreate a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.

FCreate a self-signed certificate for service-alb.example.com. Import the certificate into AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.

Show Suggested Answer

Suggested Answer: B, D, E

by Jolene at Mar 21, 2023, 08:37 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Nichelle

4 months ago

D sounds good too, but third-party certs can be a hassle.

upvoted 0 times

...

Marget

4 months ago

I agree with B, it's the best practice to use ACM for SSL.

upvoted 0 times

...

Emiko

4 months ago

Wait, why would you use a self-signed cert? Seems sketchy.

upvoted 0 times

...

Johana

4 months ago

I think A is a bit risky with self-signed certs.

upvoted 0 times

...

Lenna

4 months ago

Definitely B and E for sure!

upvoted 0 times

...

Katy

5 months ago

I recall that we need to ensure all traffic is encrypted, so I think we definitely need to configure the ALB with an HTTPS listener. Options C and D seem relevant, but I’m not sure which one is better.

upvoted 0 times

...

Clay

5 months ago

I'm a bit confused about whether we should create a self-signed certificate or use ACM for the ALB. I feel like option E might be the way to go since it talks about modifying the CloudFront origin.

upvoted 0 times

...

Carla

5 months ago

I remember a practice question where we had to redirect HTTP to HTTPS. I think option B sounds right because it mentions using a custom SSL certificate for CloudFront.

upvoted 0 times

...

Alberto

5 months ago

I think we need to use AWS Certificate Manager for the SSL certificate, but I'm not sure if it should be for the CloudFront domain or the ALB.

upvoted 0 times

...

Rolf

5 months ago

I recall that we had a question about using HTTPS listeners on the ALB, but I can't remember if we should use a public certificate or if ACM is sufficient.

upvoted 0 times

...

Vivan

5 months ago

I’m a bit confused about whether we need a certificate for the ALB or just for the CloudFront distribution. I feel like both might be necessary to ensure end-to-end encryption.

upvoted 0 times

...

Juliann

5 months ago

I think option B sounds familiar because we practiced similar questions about configuring CloudFront with ACM certificates. Redirecting HTTP to HTTPS is definitely a must.

upvoted 0 times

...

Carlee

5 months ago

I remember we discussed the importance of using AWS Certificate Manager for SSL certificates, but I'm not sure if a self-signed certificate is the best option for production.

upvoted 0 times

...

Basilia

5 months ago

I'm a bit confused about the KPIs and dashboards. Do service templates really contain those, or is that something else? I'll have to guess on those parts.

upvoted 0 times

...

Tegan

5 months ago

Okay, I think I've got this. First, I'll SSH into the worker1 node and enforce the AppArmor profile, then I'll update the manifest file and create the pod. Shouldn't be too bad.

upvoted 0 times

...

Jodi

5 months ago

Hmm, I'm a bit unsure about this one. I know business exceptions are related to business rules and requirements, but I'm not sure how to apply that here. I'll have to think it through step-by-step.

upvoted 0 times

...

Sheron

5 months ago

I'm a bit confused by this question. I'm not sure which one is the wrong statement. I'll have to review my notes on independent testing.

upvoted 0 times

...