CloudFront 3

Question 1

SSL

How does CF handle HTTP and HTTPS?

Answer 1

Options: “HTTP and HTTPS”, “Redirect HTTP to HTTPS”, “HTTPS only”

Question 2

SSL

How can CF handle only HTTP?

Answer 2

Can’t

Question 3

SSL

How do you enable SSL for CF?

important

Answer 3

On by default

Question 4

SSL

Where does your distro get its default SSL cert?

important

Answer 4

Kinda doesn’t: uses cert for *.cloudfront.net

Question 5

SSL

Where are custom certs for CF distros managed?

important

Answer 5

ACM in us-east-1 only

Question 6

SSL

Does CF “break SSL”?

Answer 6

Yes, separate SSL connections for viewer–>CF and CF–>Origin

Question 7

SSL

2 limitations for viewer–>CF certs?

important

Answer 7

Can’t be self-signed, hae to be public certificates

Question 8

SSL

2 limitations for CF–>Origin certs?

important

Answer 8

Can’t be self-signed, hae to be public certificates

Question 9

SSL

How do you use a pretty DNS name for your distro?

Answer 9

You own the Route53 zone, own the ACM cert, register with distro

Question 10

SSL

Where do CF distros get custom ACM certs from?

Answer 10

us-east-1 only

Question 11

SNI

What is SNI?

Answer 11

Server responds with the right server cert based on the incoming Host header.

Question 12

SNI

Why is SNI so cool?

Answer 12

Use a single server/port to support multiple web servers. Saves IP + Port combinations.

Question 13

SNI

What is the major requirement for SNI?

Answer 13

Has to use TLS, not SSL.

Question 14

SNI

Why use SNI by default for CF?

Answer 14

CFN product can handle multiple distribitions across customers on a single IP.

Question 15

SNI

What if you don’t want TLS and SNI?

Answer 15

Can pay extra for dedicated IP addr that only supports a single server SSL certificate.

Question 16

SNI

What does SNI cost?

Answer 16

Free. It’s non-SNI (old SSL) that has $600 per site per month extra charge

Question 17

Field-level Encryption

What’s the big downside of using HTTPS to secure data?

Answer 17

It’s plaintext in CF and Origin (think credit card numbers)

Question 18

Field-level Encryption

What is CF’s solution for end-to-end protection?

Answer 18

CF will encrypt specific fields in request payload so it stays encrypted at rest and throughout the app

Question 19

Field-level Encryption

Where does this field-level encryption happen?

Answer 19

At CF Edge locations

Question 20

Field-level Encryption

What does it use to encrypt specific fields?

Answer 20

Individual public/private keypair. Give access to CF and only necessary parts of your architecture

Question 21

Field-level Encryption

Why bother encrypting something so it stays encrypted after CF?

Answer 21

Assures it can only be used by users or certain apps with the private key to unencrypt it