Table of Contents
Question
A company has a secure website running on Amazon EC2 instances behind an Application Load Balancer (ALB). An SSL certificate from AWS Certificate Manager (ACM) is used on the ALB. Users with legacy web browsers are experiencing issues with the website. How should the SysOps administrator resolve these issues in the MOST operationally efficient manner?
A. Create a new SSL certificate in ACM and install the new certificate on the ALB to support legacy web browsers.
B. Create a second ALB and install a custom SSL certificate with a different domain name on the second ALB to support legacy web browsers.
C. Remove the ALB from the configuration and install a custom SSL certificate on each web server.
D. Update the SSL negotiation configuration of the ALB with a security policy that contains ciphers for legacy web browsers.
Answer
D. Update the SSL negotiation configuration of the ALB with a security policy that contains ciphers for legacy web browsers.
Explanation
The correct answer is D. Update the SSL negotiation configuration of the ALB with a security policy that contains ciphers for legacy web browsers.
SSL, or Secure Sockets Layer, is a protocol that encrypts and secures the communication between a web browser and a web server. SSL uses certificates to authenticate the identity of the web server and ciphers to encrypt and decrypt the data. A cipher is a combination of an encryption algorithm and a key length.
An ALB, or Application Load Balancer, is a service that distributes incoming traffic across multiple EC2 instances. An ALB can also terminate SSL connections from web browsers and forward them to the EC2 instances. An ALB uses an SSL certificate to prove its identity to the web browsers and an SSL negotiation configuration to determine which ciphers and protocols to use for the SSL connections.
An ACM, or AWS Certificate Manager, is a service that allows you to provision, manage, and renew SSL certificates for your AWS resources. You can use ACM to request and deploy an SSL certificate for your ALB.
Updating the SSL negotiation configuration of the ALB with a security policy that contains ciphers for legacy web browsers can resolve the issues in the most operationally efficient manner because:
- It can enable the ALB to support SSL connections from web browsers that use older or weaker ciphers. Some legacy web browsers may not support the latest or strongest ciphers that are recommended for security and performance. By using a security policy that contains ciphers for legacy web browsers, you can ensure that the ALB can negotiate an SSL connection with any web browser that visits your website.
- It does not require any changes to the SSL certificate or the domain name of the website. You can keep using the same SSL certificate from ACM and the same domain name for your website. You only need to modify the SSL negotiation configuration of your ALB, which is a simple and quick process.
- It does not require any changes to the EC2 instances or the web servers. You can keep using the same EC2 instances and web servers for your website. You do not need to install any SSL certificates or configure any SSL settings on your web servers. The ALB will handle all the SSL termination and forwarding for you.
The other options are incorrect because:
Option A is incorrect because creating a new SSL certificate in ACM would not solve the problem of legacy web browsers. The problem is not with the SSL certificate, but with the ciphers that are used for the SSL connections. Creating a new SSL certificate would not change the ciphers that are supported by the ALB or the web browsers.
Option B is incorrect because creating a second ALB and installing a custom SSL certificate with a different domain name would be inefficient and complex. You would need to obtain and manage your own custom SSL certificate from a third-party provider, which would incur additional cost and effort. You would also need to register and configure a different domain name for your website, which would affect your SEO and branding. Moreover, you would need to maintain two ALBs with different security policies and load balancing rules, which would increase your operational complexity and overhead.
Option C is incorrect because removing the ALB from the configuration and installing a custom SSL certificate on each web server would be inefficient and risky. You would lose the benefits of using an ALB, such as high availability, scalability, health checks, and path-based routing. You would also need to obtain and manage your own custom SSL certificate from a third-party provider, which would incur additional cost and effort. Furthermore, you would need to install and configure the SSL certificate on each web server, which would increase your operational complexity and risk of human error.
Therefore, the best solution to resolve the issues with legacy web browsers in the most operationally efficient manner is to update the SSL negotiation configuration of the ALB with a security policy that contains ciphers for legacy web browsers.
Reference
- Create an HTTPS listener for your Application Load Balancer – Elastic Load Balancing (amazon.com)
- SSL negotiation configurations for Classic Load Balancers – Elastic Load Balancing (amazon.com)
- Update the SSL negotiation configuration of your Classic Load Balancer – Elastic Load Balancing (amazon.com)
- Associate an ACM/SSL certificate with a load balancer | AWS re:Post (repost.aws)
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.