Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 431 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 431
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application Load
Balancer. The web application requires user authorization and session tracking for dynamic content. The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and User-Agent HTTP whitelist headers and a session cookie to the origin. All other cache behavior settings are set to their default value.
A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings. The ACM certificate is also applied to the
HTTPS listener for the Application Load Balancer. The CloudFront origin protocol policy is set to HTTPS only. Analysis of the cache statistics report shows that the miss rate for this distribution is very high.
What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and the
Application Load Balancer to fail?

  • A. Create two cache behaviors for static and dynamic content. Remove the User-Agent and Host HTTP headers from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.
  • B. Remove the User-Agent and Authorization HTTP headers from the whitelist headers section of the cache behavior. Then update the cache behavior to use presigned cookies for authorization.
  • C. Remove the Host HTTP header from the whitelist headers section and remove the session cookie from the whitelist cookies section for the default cache behavior. Enable automatic object compression and use Lambda@Edge viewer request events for user authorization.
  • D. Create two cache behaviors for static and dynamic content. Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by awsec2 at Sept. 12, 2019, 11:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
HazemYousry
Highly Voted 3 years, 1 month ago
A - Only session cookie and the Authorization headers to be kept and other headers can be removed
upvoted 16 times
MrCarter
3 years ago
that is incorrect
upvoted 4 times
...
Frank1
3 years, 1 month ago
Need to keep host header as cloudfront and elb is using the SAME ssl certificate. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html search "host"
upvoted 21 times
uopspop
3 years, 1 month ago
Thanks a lot. This explains why A is incorrect. I support D to be the answer, then.
upvoted 6 times
...
Smart
3 years, 1 month ago
^Thanks - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html#ssl-negotitation-failure
upvoted 3 times
...
inf
3 years, 1 month ago
? This is why A is correct. The article mentioned explicitly states that ONLY if you pass through the Host Header that the certificate must match the domain in the host header. Thus, if you *exclude* the host header, CloudFront does not care about the name in the origin certificate. So don't include the host header. "In addition, if you configured CloudFront to forward the Host header to your origin, the origin must respond with a certificate matching the domain in the Host header." (therefore just exclude the host header)
upvoted 4 times
b3llman
3 years, 1 month ago
Sorry, upvoted by mistake. You were wrong about this. If you remove the original HOST header, Cloudfront will add it back with the hostname of the origin. Since the HOST header no longer matches with the certificate, SSL handshake will fail at ALB. So, keeping the original HOST header is a must.
upvoted 10 times
...
...
...
...
dumma
Highly Voted 3 years, 1 month ago
A is correct https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html the key requirements are to increase cache hit ratio, and not breaking SSL between CloudFront and the ALB. Breaking up the origin to static and dynamic would help. Application needs session and authorization headers for dynamic content but can be skipped for static content and neither need the user agent or host.
upvoted 10 times
MrCarter
3 years ago
nope, D is the correct answer
upvoted 2 times
...
...
SkyZeroZx
Most Recent 1 year, 4 months ago
Selected Answer: D
D - Host to not be removed
upvoted 1 times
...
DarthYoda
2 years ago
Selected Answer: D
D seems to be right
upvoted 2 times
...
robsonchirara
2 years ago
D - Removing the host header will break the TLS handshake. Static content is probably not being served by the ALB, maybe s3. Therefore no need to send many headers as this is affecting the cache hit ratio.
upvoted 1 times
...
dmscountera
2 years ago
Selected Answer: D
D - Host to not be removed
upvoted 2 times
...
Sizuma
2 years, 2 months ago
D IS SURE 100%
upvoted 2 times
...
Student1950
2 years, 4 months ago
I vote for D. Explanation: Existing configuration is workings with Host Header forwarding - means both CloudFront and ALB are configured with same SSL certificates (same host name definition in SSL cert). If you remove host header, CloudFront will add Custom Origin host (hostname defined in ALB) to the host header (host potion of URL). When this request reaches ALB, the request will be failed at ALB as SSL hostname defined in ALB SSL certificate will not match with host portion of URL hence Host Header is required when we have same SSL certificate deployed on CloudFront and ALB. This works if ALB has its own SSL certificate matching its own host name definition which means CloudFront, and ALB have different SSL certificates.
upvoted 7 times
...
jj22222
2 years, 9 months ago
D looks right
upvoted 2 times
...
AzureDP900
2 years, 11 months ago
D is right Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. There is no need to remove Host header.
upvoted 3 times
...
acloudguru
2 years, 11 months ago
Selected Answer: D
D, seperate static and dynamic web to increase cache hit
upvoted 4 times
...
andylogan
3 years ago
It's D
upvoted 1 times
...
Kopa
3 years ago
Going for D
upvoted 1 times
...
Akhil254
3 years ago
D Correct
upvoted 1 times
...
student2020
3 years ago
Correct answer is D https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html Create separate cache behaviors for static and dynamic content, and configure CloudFront to forward cookies to your origin only for dynamic content. Host header is required for both cache behaviors not to break the SSL connection with the ALB.
upvoted 9 times
student2020
3 years ago
User-agent header results in too much variation in each request and therefore lots of cache misses. Removing this header will improve the cache hit ratio. Try to avoid caching based on request headers that have large numbers of unique values. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html
upvoted 4 times
...
...
Radhaghosh
3 years ago
Correct Answer - D Since it's distribution both Static & Dynamic content. You should have two cache behaviors. So Option B & C is eliminated. Now between A & D, Host HTTP headers is required, and you can't remove. So only Valid Option is D https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/understanding-the-cache-key.html
upvoted 9 times
...
KnightVictor
3 years ago
going with D, verified in Neal Davis sample questions
upvoted 4 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel