CloudFront 3 Flashcards

1
Q

SSL

How does CF handle HTTP and HTTPS?

A

Options: “HTTP and HTTPS”, “Redirect HTTP to HTTPS”, “HTTPS only”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SSL

How can CF handle only HTTP?

A

Can’t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

SSL

How do you enable SSL for CF?

important

A

On by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SSL

Where does your distro get its default SSL cert?

important

A

Kinda doesn’t: uses cert for *.cloudfront.net

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SSL

Where are custom certs for CF distros managed?

important

A

ACM in us-east-1 only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SSL

Does CF “break SSL”?

A

Yes, separate SSL connections for viewer–>CF and CF–>Origin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SSL

2 limitations for viewer–>CF certs?

important

A

Can’t be self-signed, hae to be public certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SSL

2 limitations for CF–>Origin certs?

important

A

Can’t be self-signed, hae to be public certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SSL

How do you use a pretty DNS name for your distro?

A

You own the Route53 zone, own the ACM cert, register with distro

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SSL

Where do CF distros get custom ACM certs from?

A

us-east-1 only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SNI

What is SNI?

A

Server responds with the right server cert based on the incoming Host header.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SNI

Why is SNI so cool?

A

Use a single server/port to support multiple web servers. Saves IP + Port combinations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

SNI

What is the major requirement for SNI?

A

Has to use TLS, not SSL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SNI

Why use SNI by default for CF?

A

CFN product can handle multiple distribitions across customers on a single IP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SNI

What if you don’t want TLS and SNI?

A

Can pay extra for dedicated IP addr that only supports a single server SSL certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SNI

What does SNI cost?

A

Free. It’s non-SNI (old SSL) that has $600 per site per month extra charge

17
Q

Field-level Encryption

What’s the big downside of using HTTPS to secure data?

A

It’s plaintext in CF and Origin (think credit card numbers)

18
Q

Field-level Encryption

What is CF’s solution for end-to-end protection?

A

CF will encrypt specific fields in request payload so it stays encrypted at rest and throughout the app

19
Q

Field-level Encryption

Where does this field-level encryption happen?

A

At CF Edge locations

20
Q

Field-level Encryption

What does it use to encrypt specific fields?

A

Individual public/private keypair. Give access to CF and only necessary parts of your architecture

21
Q

Field-level Encryption

Why bother encrypting something so it stays encrypted after CF?

A

Assures it can only be used by users or certain apps with the private key to unencrypt it