To ensure all traffic is encrypted between users and CloudFront, and between CloudFront and the web application, you need to set specific protocol policies. Option B, 'Require HTTPS connections for CloudFront to web application traffic,' ensures that communication between CloudFront and the web application is encrypted. Option D, 'Enforce HTTPS for user requests to CloudFront or redirect HTTP to HTTPS,' ensures that all user traffic to CloudFront is encrypted.