The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.
You are migrating your PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.
How should you configure CloudFront to meet this requirement?
A. Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin’s Protocol Policy to ‘Match Viewer’.
B. Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.
C. Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.
D. Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.
A. HTTPS is already required for CloudFront.
A
A is wrong—- privacy is mandatory. With A “match viewer”…the viewer can be transacting with HTTP so CF will honour that when it talks to origin, therefore creating an end-to-end clear-text transaction sequence..NO NO NO.
B is wrong—-“…without TLS termination…” NO NO NO.
C is nonsense option— CloudFront+Origin+Direct Connect?? NO..
D is correct—-
1)”…redirect HTTP requests to HTTPS” ….YES YES YES.
2)”…to the origin via the Amazon private network..” YES again.