AWS Certified Advanced Networking - Specialty
Get started today
Ultimate access to all questions.
A company operates an order processing system requiring credit card numbers to remain encrypted. Their customer-facing application is deployed as an Amazon ECS service behind an Application Load Balancer (ALB) in the us-west-2 Region, with an Amazon CloudFront distribution configured to use the ALB as its origin. The company uses certificates from a third-party trusted certificate authority and employs HTTPS for encryption in transit. To ensure sensitive data remains encrypted during processing and is only decryptable by specific application components, what two steps should the company implement? (Choose two.)
A company operates an order processing system requiring credit card numbers to remain encrypted. Their customer-facing application is deployed as an Amazon ECS service behind an Application Load Balancer (ALB) in the us-west-2 Region, with an Amazon CloudFront distribution configured to use the ALB as its origin. The company uses certificates from a third-party trusted certificate authority and employs HTTPS for encryption in transit. To ensure sensitive data remains encrypted during processing and is only decryptable by specific application components, what two steps should the company implement? (Choose two.)
Explanation:
To meet the requirements of keeping credit card numbers encrypted during processing and ensuring only certain application components can decrypt the sensitive data, the company needs to implement field-level encryption with Amazon CloudFront. This involves specifying which fields contain sensitive information and ensuring these fields are encrypted before being sent to the origin server. The correct steps involve uploading the public key that handles the encryption of the sensitive data to the CloudFront distribution, creating a field-level encryption profile to specify the sensitive fields, creating a field-level encryption configuration with the newly created profile, and linking this configuration to the appropriate cache behavior associated with sensitive POST requests. This ensures that sensitive data is encrypted at the field level before being processed by the application. Therefore, the correct options are those that correctly describe these steps, which are options C and E. Option C correctly describes the process of using the private key for encryption, creating a field-level encryption profile, and linking the configuration to sensitive POST requests. Option E correctly describes uploading the public key, creating a field-level encryption profile, and linking the configuration to sensitive POST requests, which is the correct approach for field-level encryption with CloudFront.