Answer-first summary for fast verification
Answer: Configure a CloudFront field-level encryption profile.
## Explanation **Correct Answer: C - Configure a CloudFront field-level encryption profile.** **Why this is correct:** 1. **Field-level encryption** is specifically designed to protect sensitive data throughout the entire application stack. It encrypts specific fields in HTTPS requests at the CloudFront edge location, so the data remains encrypted as it travels to the origin server. 2. **End-to-end protection**: The sensitive information is encrypted at the edge and only specific applications (with the appropriate private key) can decrypt it at the origin, providing protection throughout the entire stack. 3. **Restricted access**: Access to the sensitive information is restricted to applications that have the private key to decrypt the specific fields. **Why other options are incorrect:** - **A. Configure a CloudFront signed URL**: Signed URLs control who can access specific files, but they don't encrypt sensitive data fields within the content. They're for access control, not field-level encryption. - **B. Configure a CloudFront signed cookie**: Similar to signed URLs, signed cookies control access to content but don't provide field-level encryption of sensitive data within the content. - **D. Configure CloudFront and set the Origin Protocol Policy setting to HTTPS Only for the Viewer Protocol Policy**: This ensures HTTPS communication between CloudFront and the origin, but it doesn't provide additional encryption for specific sensitive fields within the data. The sensitive data would be visible at the origin server in plain text. **Key AWS Concepts:** - **CloudFront Field-Level Encryption**: Encrypts specific data fields in HTTPS requests at the edge, keeping them encrypted until they reach the application backend that can decrypt them. - **Use Case**: Perfect for protecting sensitive information like credit card numbers, social security numbers, or personal identification data that needs to remain encrypted throughout the entire application stack. - **How it works**: You create encryption profiles that specify which fields to encrypt and which public key to use. The data is encrypted at the edge and can only be decrypted by applications with the corresponding private key.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A solutions architect is creating a new Amazon CloudFront distribution for an application. Some of the information submitted by users is sensitive. The application uses HTTPS but needs another layer of security. The sensitive information should be protected throughout the entire application stack, and access to the information should be restricted to certain applications.
Which action should the solutions architect take?
A
Configure a CloudFront signed URL.
B
Configure a CloudFront signed cookie.
C
Configure a CloudFront field-level encryption profile.
D
Configure CloudFront and set the Origin Protocol Policy setting to HTTPS Only for the Viewer Protocol Policy.