AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

2019 SAP exam question,

A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application Load Balancer. The web application requires user authorization and session tracking for dynamic content. The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and User-Agent HTTP whitelist headers and a session cookie to the origin. All other cache behavior settings are set to their default value. A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings. The ACM certificate is also applied to the HTTPS listener for the Application Load Balancer. The CloudFront origin protocol policy is set to HTTPS only. Analysis of the cache statistics report shows that the miss rate for this distribution is very high. What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and the Application Load Balancer to fail?

A. Create two cache behaviors for static and dynamic content. Remove the User-Agent and Host HTTP headers from the whitelist headers section on both if the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.

B. Remove the User-Agent and Authorization HTTPS headers from the whitelist headers section of the cache behavior. Then update the cache behavior to use presigned cookies for authorization.

C. Remove the Host HTTP header from the whitelist headers section and remove the session cookie from the whitelist cookies section for the default cache behavior. Enable automatic object compression and use Lambda@Edge viewer request events for user authorization.

D. Create two cache behaviors for static and dynamic content. Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content. 

Answer B, D

2 Answers

Why not option C? using Lambda@edge for authorization would be a better choice. I am just going by elimination method

Alex Ramzy

not sure,

One way of increasing cache hit is to reduce the headers and query parameters used in the cache lookup. The doc is at https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html.

It looks like the question is getting at which headers must be passed to the application and which ones can be removed.

A – Breaking up the origin to static and dynamic would help. The application needs session and authorization headers, and neither need the user agent or host.

B – The application requires the authorization header

C – The application requires the session header

D – Almost the same as A except the host header is kept, meaning that it will affect the cache hit.

The question has two parts, increase cache hit ratio, and don’t break SSL between CloudFront and the ALB. The second part seems extra, I didn’t see anything in the answer list that would break it.

So, long story, but A will do the best at increasing the cache hit ratio.

Aravind

Also worth having a look at https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-https-connection-fails/ which talks about "If you’re whitelisting the host header on your CloudFront distribution, verify that the Application Load Balancer has a TLS certificate configured with the same name. Otherwise, the Application Load Balancer offers its default certificate, which might not match the SNI associated with the ClientHello message from CloudFront."

Hazem Yousry

But in the question "A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings. The ACM certificate is also applied to the HTTPS listener for the Application Load Balancer" so host header in not required

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?