Which combination of steps should a SysOps administrator take to encrypt the traffic in transit?
(Choose two.)
For each cache behavior in the CloudFront distribution, modify the Viewer Protocol Policy setting to redirect HTTP to HTTPS.
For each cache behavior in the CloudFront distribution, modify the Viewer Protocol Policy setting to allow HTTP and HTTPS.
Enter the alternate domain name (CNAME) of www.example.com for the CloudFront distribution. Select the custom SSL certificate.
Configure an AWS WAF web ACL for the CloudFront distribution.
Configure CloudFront Origin Shield for the CloudFront origin.
Explanations:
Modifying the Viewer Protocol Policy to redirect HTTP to HTTPS ensures that all traffic to CloudFront is encrypted in transit by automatically redirecting any HTTP requests to HTTPS.
Allowing both HTTP and HTTPS does not guarantee that all traffic will be encrypted. It allows both insecure and secure connections, which is not in line with the requirement to encrypt all traffic.
Associating the custom SSL certificate (forwww.example.com) with the CloudFront distribution ensures that SSL/TLS encryption is applied for the HTTPS connections, meeting the encryption requirement.
AWS WAF (Web Application Firewall) does not specifically address the encryption of traffic in transit. It is used for filtering and monitoring web traffic, not for enforcing encryption.
CloudFront Origin Shield is a feature designed to reduce the load on the origin server by caching content closer to the origin. It does not relate directly to ensuring encryption of traffic between CloudFront and the clients.