Answer – A
The AWS Documentation clearly mentions the configuration for the Distribution in such a scenario.
Origin Protocol Policy
Change the Origin Protocol Policy for the applicable origins in your distribution:
HTTPS Only – CloudFront uses only HTTPS to communicate with your custom origin.
Match Viewer – CloudFront communicates with your custom origin using HTTP or HTTPS, depending on the protocol of the viewer request. For example, if you choose Match Viewer for Origin Protocol Policy and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin.
Choose Match Viewer only if you specify Redirect HTTP to HTTPS or HTTPS Only for Viewer Protocol Policy.
CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.
Origin SSL Protocols
Choose the Origin SSL Protocols for the applicable origins in your distribution. The SSLv3 protocol is less secure, so we recommend that you choose SSLv3 only if your origin doesn`t support TLSv1 or later.
Note
The TLSv1 handshake is both backward and forward compatible with SSLv3, but TLSv1.1 and TLSv1.2 are not. In this case, the OpenSSL only sends an SSLv3 handshake.
Option B is incorrect since the Viewer Protocol should not be HTTP.
Options C and D are incorrect since you cannot specify the traffic to flow in Cloudfront through an Amazon Virtual Private Network
For more information on using HTTPS for a custom origin, please refer to the below URL
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html