AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A global e-commerce company is migrating its platform to AWS. For regulatory compliance, the company must use a specific third-party Extended Validation (EV) certificate for all public-facing endpoints. The architecture consists of a CloudFront distribution for caching static content and directing traffic to an Application Load Balancer (ALB) in the eu-west-1 region.
A solutions architect needs to design a strategy to make the EV certificate available to both the CloudFront distribution and the ALB. The private key for the certificate must be protected, and the process must meet all requirements.
Which approach should the architect recommend?
Import the certificate and its chain into ACM in the us-east-1 region and associate it with the CloudFront distribution. Then, configure the CloudFront origin to use an 'HTTPS Only' Origin Protocol Policy to connect to the ALB.
Store the certificate, private key, and chain in AWS Secrets Manager in the eu-west-1 region. Configure both the ALB and the CloudFront distribution to retrieve and use the certificate from Secrets Manager.
Import the certificate and its chain into ACM in the us-east-1 region for the CloudFront distribution. Separately, import the same certificate and chain into ACM in the eu-west-1 region for the ALB.
Import the certificate and its chain into ACM in the eu-west-1 region. Associate this certificate with the ALB and reference its Amazon Resource Name (ARN) in the CloudFront distribution settings.
The correct approach is to import the EV certificate into AWS Certificate Manager (ACM) in two separate regions. For CloudFront, custom SSL/TLS certificates must be imported or requested in the US East (N. Virginia) us-east-1 region. For an Application Load Balancer (ALB), the certificate must reside in the same AWS Region as the load balancer itself, which in this case is eu-west-1. Therefore, the only way to use the same third-party certificate for both services is to perform the import process twice: once in us-east-1 for CloudFront and once in eu-west-1 for the ALB.
Importing the certificate only into eu-west-1 is incorrect because CloudFront cannot access certificates from any region other than us-east-1.
Using AWS Secrets Manager is incorrect because neither CloudFront nor ALB can natively use certificates stored in Secrets Manager for TLS termination; they are designed to integrate with ACM.
Importing the certificate only to us-east-1 for CloudFront and not for the ALB fails to meet the requirement that the specific EV certificate be used on all public endpoints, as the ALB would be left without the required certificate. The ALB needs its own certificate to terminate the HTTPS connection from CloudFront.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does CloudFront require the certificate to be in the `us-east-1` region?
Open an interactive chat with Bash
What is AWS Certificate Manager (ACM) and how does it protect private keys?
Open an interactive chat with Bash
Why can't ALB or CloudFront use certificates directly from AWS Secrets Manager?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access