A solutions architect is creating a new Amazon CloudFront distribution for an application. Some of the information submitted by users is sensitive. The application uses HTTPS but needs another layer of security. The sensitive information should.be protected throughout the entire application stack, and access to the information should be restricted to certain applications.
Which action should the solutions architect take?
To ensure that sensitive information is protected throughout the entire application stack and that access is restricted to certain applications, configuring a CloudFront field-level encryption profile is the correct approach. Field-level encryption allows you to encrypt specific data fields at the edge of the CloudFront network. This ensures that sensitive information remains encrypted as it travels through the CloudFront distribution and while at rest, providing an additional layer of security beyond HTTPS. This encryption ensures that only authorized applications with the necessary credentials can access and decrypt the sensitive data.
CCCCCCCCC Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.
Options A and B (signed URL and signed cookie) are used for controlling access to specific resources and are typically used for restricting access based on URLs or cookies. They do not provide field-level encryption for sensitive data within HTTP requests. Option D (configuring CloudFront with the Origin Protocol Policy set to HTTPS Only for the Viewer Protocol Policy) is related to enforcing HTTPS communication between CloudFront and the viewer (end-user). While important for security, it doesn't address the specific requirement of protecting sensitive data within the application stack.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html "Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack".
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-levelencryption. html "With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it."
C is the only one that addresses handling sensitive information.
Please go through below link: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
This is about controlling access for downloads (making sure that the download request is coming from an authenticated user), it has nothing to do with protecting data that is sent to the application.
cccc,this link https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
Option A and Option B are used for controlling access to specific resources or content based on signed URLs or cookies. While they provide security and access control, they do not provide field-level encryption for sensitive data within the requests. Option D ensures that communication between the viewer and CloudFront is encrypted with HTTPS. However, it does not specifically address the protection and encryption of sensitive information within the application stack. Therefore, the most appropriate action to protect sensitive information throughout the entire application stack and restrict access to certain applications is to configure a CloudFront field-level encryption profile (Option C).
field level encryption allow to protect sensitive information throughout the application stack
With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it. Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.
C: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
Reviewing my first vote after research. It seems that C is the best answer: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
A if for fetch. B requires cookies. D just enforces HTTPS which is already mentioned for the solution (CloudFront only allows HTTPS) and does not add another layer of security. C provides field level encryption security which is another layer of security.
C) Configure a CloudFront field-level encryption profile. Field-level encryption allows you to encrypt sensitive information at the edge before distributing content through CloudFront. It provides an additional layer of security for sensitive user-submitted data. The other options would not provide field-level encryption
Would the HTTPS imply that the cert was signed by a CA
With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it.
C, field-level encryption should be used when necessary to protect sensitive data.