How can these requirements be met?
(Choose two.)
Use AWS KMS to encrypt traffic between CloudFront and the web application.
Set the Origin Protocol Policy to “HTTPS Only”.
Set the Origin’s HTTP Port to 443.
Set the Viewer Protocol Policy to “HTTPS Only” or “Redirect HTTP to HTTPS”.
Enable the CloudFront option Restrict Viewer Access.
Explanations:
AWS KMS is used for encrypting data at rest or for managing encryption keys, but it does not encrypt traffic. Traffic encryption over the network is typically handled using SSL/TLS protocols rather than through KMS.
Setting the Origin Protocol Policy to “HTTPS Only” ensures that CloudFront communicates securely with the origin server (the web application) using HTTPS, thus encrypting the traffic between CloudFront and the web application.
Setting the Origin’s HTTP Port to 443 alone does not encrypt traffic. While port 443 is typically used for HTTPS, encryption requires the correct protocol (HTTPS) to be in use. Simply setting the port does not guarantee that traffic is encrypted.
Setting the Viewer Protocol Policy to “HTTPS Only” or “Redirect HTTP to HTTPS” ensures that all connections from users to CloudFront are encrypted using HTTPS, thereby securing the traffic between users and CloudFront.
Enabling the CloudFront option Restrict Viewer Access is related to controlling who can access the content and does not specifically address the encryption of traffic. It does not ensure that the data in transit is encrypted between users and CloudFront or between CloudFront and the origin.
I conclude that the answer is:
Set the Origin Protocol Policy to “HTTPS Only”.