Table of Contents
Question
A company hosts an end user application on AWS. Currently, the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer. The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances. Which solution will meet this requirement with the LEAST operational effort?
A. Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption.
B. Import a third-party SSL certificate to AWS Certificate Manager (ACM). Install the third-party certificate on the EC2 instances. Associate the ACM imported third-party certificate with the Elastic Load Balancer.
C. Deploy AWS CloudHSM. Import a third-party certificate. Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate.
D. Import a third-party certificate bundle to AWS Certificate Manager (ACM). Install the third-party certificate on the EC2 instances. Associate the ACM imported third-party certificate with the Elastic Load Balancer.
Answer
B. Import a third-party SSL certificate to AWS Certificate Manager (ACM). Install the third-party certificate on the EC2 instances. Associate the ACM imported third-party certificate with the Elastic Load Balancer.
Explanation
The correct answer is B. Import a third-party SSL certificate to AWS Certificate Manager (ACM). Install the third-party certificate on the EC2 instances. Associate the ACM imported third-party certificate with the Elastic Load Balancer. According to the AWS documentation and the AWS blog post, this solution will meet the requirement of configuring end-to-end encryption between the Elastic Load Balancer and the EC2 instances with the least operational effort. The steps are as follows:
- Import a third-party SSL certificate to AWS Certificate Manager (ACM). This is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. You can import a certificate that you obtained from a third-party certificate authority (CA) to ACM and use it with your Elastic Load Balancer.
- Install the third-party certificate on the EC2 instances. This is necessary to enable the EC2 instances to terminate HTTPS connections from the Elastic Load Balancer and encrypt the traffic on the backend. The installation process varies depending on the platform and web server used by your application.
- Associate the ACM imported third-party certificate with the Elastic Load Balancer. This is done by creating or modifying a secure listener for your load balancer and selecting the ACM certificate as the default certificate for the listener. This will enable the load balancer to terminate HTTPS connections from clients and encrypt the traffic on the frontend.
The other options are incorrect because:
- Option A uses Amazon issued ACM certificates instead of third-party certificates. Amazon issued certificates are free and easy to use, but they cannot be installed on EC2 instances or other resources that are not integrated with ACM. Therefore, they cannot be used for end-to-end encryption between the load balancer and the EC2 instances.
- Option C uses AWS CloudHSM instead of ACM. CloudHSM is a service that provides hardware security modules (HSMs) in the AWS Cloud. You can use CloudHSM to generate and store your own encryption keys in a single-tenant HSM cluster. However, CloudHSM is more complex and costly to set up and manage than ACM, and it does not integrate with Elastic Load Balancing directly. Therefore, it does not meet the requirement of least operational effort.
- Option D uses an AWS Systems Manager rule instead of an AWS Config rule. Systems Manager does not have rules, but rather documents that define automation workflows. Additionally, option D uses an AWS Lambda function instead of linking the runbook as the automatic remediation step. Lambda functions are used to run code without provisioning or managing servers, not to link remediation actions with AWS Config rules.
Reference
- Configuring end-to-end encryption in a load-balanced Elastic Beanstalk environment – AWS Elastic Beanstalk (amazon.com)
- amazon web services – AWS Encrypt connection between LoadBalancer and EC2 instances – Stack Overflow
- Data protection in Elastic Load Balancing – Elastic Load Balancing (amazon.com)
- Setting up end-to-end TLS encryption on Amazon EKS with the new AWS Load Balancer Controller | Containers
Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.