ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 431 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 431
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application Load
Balancer. The web application requires user authorization and session tracking for dynamic content. The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and User-Agent HTTP whitelist headers and a session cookie to the origin. All other cache behavior settings are set to their default value.
A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings. The ACM certificate is also applied to the
HTTPS listener for the Application Load Balancer. The CloudFront origin protocol policy is set to HTTPS only. Analysis of the cache statistics report shows that the miss rate for this distribution is very high.
What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and the
Application Load Balancer to fail?

  • A. Create two cache behaviors for static and dynamic content. Remove the User-Agent and Host HTTP headers from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.
  • B. Remove the User-Agent and Authorization HTTP headers from the whitelist headers section of the cache behavior. Then update the cache behavior to use presigned cookies for authorization.
  • C. Remove the Host HTTP header from the whitelist headers section and remove the session cookie from the whitelist cookies section for the default cache behavior. Enable automatic object compression and use Lambda@Edge viewer request events for user authorization.
  • D. Create two cache behaviors for static and dynamic content. Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by awsec2 at Sept. 12, 2019, 11:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
HazemYousry
Highly Voted 3 years, 3 months ago
A - Only session cookie and the Authorization headers to be kept and other headers can be removed
upvoted 16 times
MrCarter
3 years, 2 months ago
that is incorrect
upvoted 4 times
...
Frank1
3 years, 3 months ago
Need to keep host header as cloudfront and elb is using the SAME ssl certificate. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html search "host"
upvoted 21 times
uopspop
3 years, 3 months ago
Thanks a lot. This explains why A is incorrect. I support D to be the answer, then.
upvoted 6 times
...
Smart
3 years, 3 months ago
^Thanks - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/http-502-bad-gateway.html#ssl-negotitation-failure
upvoted 3 times
...
inf
3 years, 3 months ago
? This is why A is correct. The article mentioned explicitly states that ONLY if you pass through the Host Header that the certificate must match the domain in the host header. Thus, if you *exclude* the host header, CloudFront does not care about the name in the origin certificate. So don't include the host header. "In addition, if you configured CloudFront to forward the Host header to your origin, the origin must respond with a certificate matching the domain in the Host header." (therefore just exclude the host header)
upvoted 4 times
b3llman
3 years, 3 months ago
Sorry, upvoted by mistake. You were wrong about this. If you remove the original HOST header, Cloudfront will add it back with the hostname of the origin. Since the HOST header no longer matches with the certificate, SSL handshake will fail at ALB. So, keeping the original HOST header is a must.
upvoted 10 times
...
...
...
...
dumma
Highly Voted 3 years, 3 months ago
A is correct https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html the key requirements are to increase cache hit ratio, and not breaking SSL between CloudFront and the ALB. Breaking up the origin to static and dynamic would help. Application needs session and authorization headers for dynamic content but can be skipped for static content and neither need the user agent or host.
upvoted 10 times
MrCarter
3 years, 2 months ago
nope, D is the correct answer
upvoted 2 times
...
...
SkyZeroZx
Most Recent 1 year, 6 months ago
Selected Answer: D
D - Host to not be removed
upvoted 1 times
...
DarthYoda
2 years, 1 month ago
Selected Answer: D
D seems to be right
upvoted 2 times
...
robsonchirara
2 years, 2 months ago
D - Removing the host header will break the TLS handshake. Static content is probably not being served by the ALB, maybe s3. Therefore no need to send many headers as this is affecting the cache hit ratio.
upvoted 1 times
...
dmscountera
2 years, 2 months ago
Selected Answer: D
D - Host to not be removed
upvoted 2 times
...
Sizuma
2 years, 4 months ago
D IS SURE 100%
upvoted 2 times
...
Student1950
2 years, 5 months ago
I vote for D. Explanation: Existing configuration is workings with Host Header forwarding - means both CloudFront and ALB are configured with same SSL certificates (same host name definition in SSL cert). If you remove host header, CloudFront will add Custom Origin host (hostname defined in ALB) to the host header (host potion of URL). When this request reaches ALB, the request will be failed at ALB as SSL hostname defined in ALB SSL certificate will not match with host portion of URL hence Host Header is required when we have same SSL certificate deployed on CloudFront and ALB. This works if ALB has its own SSL certificate matching its own host name definition which means CloudFront, and ALB have different SSL certificates.
upvoted 7 times
...
jj22222
2 years, 11 months ago
D looks right
upvoted 2 times
...
AzureDP900
3 years, 1 month ago
D is right Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. There is no need to remove Host header.
upvoted 3 times
...
acloudguru
3 years, 1 month ago
Selected Answer: D
D, seperate static and dynamic web to increase cache hit
upvoted 4 times
...
andylogan
3 years, 2 months ago
It's D
upvoted 1 times
...
Kopa
3 years, 2 months ago
Going for D
upvoted 1 times
...
Akhil254
3 years, 2 months ago
D Correct
upvoted 1 times
...
student2020
3 years, 2 months ago
Correct answer is D https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html Create separate cache behaviors for static and dynamic content, and configure CloudFront to forward cookies to your origin only for dynamic content. Host header is required for both cache behaviors not to break the SSL connection with the ALB.
upvoted 9 times
student2020
3 years, 2 months ago
User-agent header results in too much variation in each request and therefore lots of cache misses. Removing this header will improve the cache hit ratio. Try to avoid caching based on request headers that have large numbers of unique values. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html
upvoted 4 times
...
...
Radhaghosh
3 years, 2 months ago
Correct Answer - D Since it's distribution both Static & Dynamic content. You should have two cache behaviors. So Option B & C is eliminated. Now between A & D, Host HTTP headers is required, and you can't remove. So only Valid Option is D https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/understanding-the-cache-key.html
upvoted 9 times
...
KnightVictor
3 years, 2 months ago
going with D, verified in Neal Davis sample questions
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago