In the solutions architect associate mock exam, there is the following question:
A company plans to implement a secure document storage application on AWS. The application will utilize Amazon S3 for file storage, needs to ensure encryption of the data in transit and at rest, and must manage access policies for encryption keys. Choose the best two solutions to meet these requirements.
One of the correct answer is marked as this:
Use AWS Certificate Manager (ACM) for SSL/TLS certificates to encrypt data in transit between the Application and Amazon S3.
However, in the lecture on Certificate Manager at 04:39, it is mentioned that you cannot use ACM to serve https traffic for an S3 bucket.
So I am unclear on whether ACM is a valid option here.
If someone could help clarify, it would help.
Kind Regards,
Aditya.
You can’t use ACM directly on S3, but you can do it by putting CloudFront in front of your bucket and putting the custom cert onto CloudFront.
If you were serving S3 content in a public facing application, you would want CloudFront anyway. Recall that buckets are regional and if a user is at the other side of the world, then they would experience latency when retrieving files from the bucket. CloudFront will cache the bucket data at edge locations closer to the users.
Also worth knowing is that to use certificates with CloudFront, they must be placed in ACM in the us-east-1 region. This can be a question in the exam
1 Like
Thanks for the clarification.
So using CloudFront is mandatory in this use-case with ACM. This solve my query.
If the answer would mention the use of CloudFront then there would be no ambiguity.
True.
S3 has https endpoints, but they are Amazon URLs. If you wanted your own domain name, i.e your own cert, then CloudFront is required.
1 Like