Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 33 discussion

To use a certificate in AWS Certificate Manager (ACM) to require HTTPS between viewers and CloudFront, make sure you request (or import) the certificate in the US East (N. Virginia) Region (us-east-1). https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html

I have checked at various places Answer is D Reason: ACM just can only import certificate in us-east-1 and we need to associate the imported certificate with us-east-2 The caused confusion regarding it is because of import and associate Crux: we will import in us-east-1 but use in us-east-2

ACM certificates must reside in us-east-1 for CloudFront, not the same Region as the API (us-east-2 in this case).

D is the correct answer.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

Import cert in the same region

D. Importe o certificado SSL/TLS para o AWS Certificate Manager (ACM) na região us-east-1. Crie um registro DNS CNAME para o domínio personalizado.

AWS Region for AWS Certificate Manager To use a certificate in AWS Certificate Manager (ACM) to require HTTPS between viewers and CloudFront, make sure you request (or import) the certificate in the US East (N. Virginia) Region (us-east-1).

D If you need to use CloudFront, then, you must import it into ue-east-1. https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html

Selected Answer: D A is not right because for cloudfront you create a CNMA not a DNS A https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html C is not right because ACM cannot import certificates in us-east-2 https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html B is not right. The certificate is for an external CA but can be uploaded to ACM or you must request a public certificate from AWS certificate Manager https://repost.aws/knowledge-center/install-ssl-cloudfront but you cannot import the certificate into CloudFront

C The first statement of the question: A developer is creating an application that includes an Amazon API Gateway REST API in the us-east-2 Region. ... it is a Regional API, when using a Regional endpoint, the SSL/TLS certificate for the custom domain must be imported into AWS Certificate Manager (ACM) in the same Region as the API, only if we use g Edge-Optimized endpoint, the certificate must be in us-east-1.

The ACM has to be implemented at US-East-1

To use Amazon CloudFront and a custom domain name for an Amazon API Gateway REST API, the developer should import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the same Region as the API, and create a DNS CNAME record for the custom domain. This is because AWS Certificate Manager can only issue SSL/TLS certificates in the same Region as the API, and a DNS CNAME record maps the custom domain to the CloudFront distribution. Option A is incorrect because a DNS A record is not sufficient to map the custom domain to the CloudFront distribution. Option B is incorrect because AWS Certificate Manager must issue the SSL/TLS certificate in the same Region as the API. Option D is incorrect because the SSL/TLS certificate must be issued in the same Region as the API, and a DNS CNAME record is required to map the custom domain to the CloudFront distribution.

C. Import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the same Region as the API. Create a DNS CNAME record for the custom domain. Explanation: Amazon CloudFront can use SSL/TLS certificates stored in AWS Certificate Manager (ACM) to provide secure HTTPS connections for custom domain names. In this scenario, the developer should import the SSL/TLS certificate acquired from a third-party provider into ACM in the same Region as the API (us-east-2 in this case). This allows the certificate to be used by CloudFront.

It's D. It is trying to integrate with CloudFront, therefore it must upload certificates in us-east-1. If it was a regional API, then certificates must be uploaded in the same region of the API Gateway.

I was thinking this answer would be C

The correct answer is D. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html