Exam AWS Certified Security - Specialty topic 1 question 500 discussion

There is no mention of AWS Nitro Enclaves. EC2 is not integrated with ACM: https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html A third party certificate must be used: https://www.youtube.com/watch?v=6Nz0RFfBqVE https://repost.aws/knowledge-center/configure-acm-certificates-ec2

A Less effort AWS ACM certificates on ELB and EC2 instances

Is everyone voting here that inexperienced? Importing the leaf cert usually won't be enough, the ELB will usually need to serve subs because client trust stores tend to only have root CAs. D is the same as B except it specially includes the step to also import the "bundle" - i.e. the subordinate CA issuer. This is necessary. The subordinate CA/chain isn't needed on the EC2 instance because, as others have pointed out, ELBs don't validate SSL certs against internal trust stores anyway.

A is not correct. Configuring an Amazon Issued ACM public certificate for a website that's hosted on an EC2 instance requires exporting the certificate. However, you can't export the certificate because ACM manages the private key that signs and creates the certificate.

The load balancer doesn't care if your instance's certificate is self-signed or issued by a trusted certificate authority, and will accept any certificate presented to it. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html

Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption. This option involves using AWS Certificate Manager (ACM) to issue and manage SSL/TLS certificates. By using ACM certificates, you can easily create, deploy, and renew certificates without the need for manual intervention. ACM automatically takes care of the certificate lifecycle management, including provisioning, renewal, and integration with services like Elastic Load Balancer.

B : Public ACM certificates can be installed on Amazon EC2 instances that are connected to a Nitro Enclave, but not to other Amazon EC2 instances. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

Answer B : https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html

option A: "Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption." Using Amazon-issued ACM certificates simplifies the certificate management process, as ACM takes care of certificate provisioning, renewal, and integration. By leveraging ACM certificates, the company can easily configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances without the need to import third-party certificates or manage them separately. This option reduces operational effort because the company can rely on ACM's automation and integration with other AWS services to handle certificate management seamlessly.