nerdexam
Amazon

DVA-C02 · Question #365

A company has an internal website that contains sensitive data. The company wants to make the website public. The company must ensure that only employees who authenticate through the company's OpenID

The correct answer is B. Create a public Application Load Balancer. C. Configure a listener for the load balancer that listens on HTTPS port 443. Add a default. An Application Load Balancer with an HTTPS listener and an authenticate-oidc action handles the OIDC authentication flow transparently before forwarding requests to the target, requiring no changes to the website code.

Submitted by kevin_r· Mar 5, 2026Security

Question

A company has an internal website that contains sensitive data. The company wants to make the website public. The company must ensure that only employees who authenticate through the company's OpenID Connect (OIDC) identity provider (IdP) can access the website. A developer needs to implement authentication without editing the website. Which combination of steps will meet these requirements? (Choose two.)

Options

  • ACreate a public Network Load Balancer.
  • BCreate a public Application Load Balancer.
  • CConfigure a listener for the load balancer that listens on HTTPS port 443. Add a default
  • DConfigure a listener for the load balancer that listens on HTTP port 80. Add a default authenticate
  • EConfigure a listener for the load balancer that listens on HTTPS port 443. Add a default AWS

How the community answered

(38 responses)
  • A
    8% (3)
  • B
    50% (19)
  • D
    16% (6)
  • E
    26% (10)

Why each option

An Application Load Balancer with an HTTPS listener and an authenticate-oidc action handles the OIDC authentication flow transparently before forwarding requests to the target, requiring no changes to the website code.

ACreate a public Network Load Balancer.

Network Load Balancers operate at Layer 4 (TCP/UDP) and have no capability to inspect HTTP headers or implement application-layer authentication flows such as OIDC.

BCreate a public Application Load Balancer.Correct

Application Load Balancers natively support OIDC and SAML-based authentication via listener rules; when an unauthenticated request arrives, the ALB redirects the user to the IdP, handles the token exchange, and only forwards the request to the backend after successful authentication.

CConfigure a listener for the load balancer that listens on HTTPS port 443. Add a defaultCorrect

OIDC authentication on an ALB listener requires HTTPS (port 443) because the IdP redirect flow exchanges authorization codes and tokens that must be protected in transit; the authenticate-oidc action in the listener rule triggers the full OIDC authorization code flow against the configured IdP.

DConfigure a listener for the load balancer that listens on HTTP port 80. Add a default authenticate

OIDC authentication requires HTTPS because tokens and authorization codes transmitted over HTTP port 80 would be exposed to interception; AWS also requires HTTPS listeners for the authenticate-oidc action.

EConfigure a listener for the load balancer that listens on HTTPS port 443. Add a default AWS

AWS WAF evaluates web requests against security rules (SQL injection, XSS, IP blocking) but does not implement identity-based authentication flows or integrate with OIDC identity providers.

Concept tested: ALB native OIDC authentication without application code changes

Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice