Q36 — AWS DVA-C02 Ch.1

Question 36 of 100 | ← Chapter 1

A developer is creating an application with an Amazon API Gateway REST API in the us-east-2 Region. The developer wants to use Amazon CloudFront with a custom domain name for the API. The developer has already obtained an SSL/TLS certificate for the domain through a third-party certificate authority. How should the developer configure the custom domain for the application?

Correct Answer: D. Import the SSL/TLS certificate into AWS Certificate Manager (ACM) in the us-east-1 Region. Create a DNS CNAME record for the custom domain.

Explanation

SSL/TLS certificate location: AWS Certificate Manager (ACM) is AWS’s managed service for provisioning and managing SSL/TLS certificates. CloudFront requires certificates from ACM to enable HTTPS. Regional constraint: ACM certificates are region-specific. Although the API Gateway is deployed in us-east-2, CloudFront requires the certificate to reside in us-east-1 (the only Region where CloudFront can retrieve ACM certificates). DNS record: After importing the certificate into ACM in us-east-1, the developer must create a DNS CNAME record pointing the custom domain to the CloudFront distribution domain name—enabling secure global CDN delivery. Comparison with other options: Option B incorrectly assumes CloudFront accepts direct certificate imports; it does not—it relies exclusively on ACM. Option C incorrectly places the ACM certificate in us-east-2, which CloudFront cannot access. Option A incorrectly recommends an A record; CloudFront distributions require CNAME records (not A records) for custom domains. Thus, the correct answer is Option D: Import the SSL/TLS certificate into ACM in us-east-1 and create a DNS CNAME record for the custom domain so CloudFront can serve the API Gateway securely.