Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 103 discussion

Because of the wording of this question, I did not first know which of the options B and D is correct. However, my conviction that you can't directly install Amazon-issued certificates on EC2 instances (refer to - https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb for more information) made me to study a few documentations to be sure D is the correct answer. Please check the Accepted answer in the following thread - https://repost.aws/questions/QUIo7PWvZ3T6aFYCByhZ5f0A/load-certificate-on-alb-and-ec2

Q: Can I use certificates on Amazon EC2 instances or on my own servers? You can use private certificates issued with Private CA with EC2 instances, containers, and on your own servers. At this time, public ACM certificates can be used only with specific AWS services, including AWS Nitro Enclaves. See ACM service integrations.

B. To achieve complete encryption of the traffic between external users and an application hosted on Amazon EC2 instances behind an Application Load Balancer (ALB), you would typically use SSL/TLS encryption. AWS Certificate Manager (ACM) provides a managed service for provisioning and renewing SSL/TLS certificates. Here's how the process works: Create a new Amazon-issued certificate in ACM. Associate the certificate with the ALB. This ensures that the ALB can terminate SSL/TLS connections on behalf of the EC2 instances. Export the certificate from ACM. Install the exported certificate on the EC2 instances. This ensures that the communication between the ALB and EC2 instances is also encrypted. By using ACM, you benefit from the managed certificate service, automated certificate renewal, and easy integration with other AWS services like ALB. This approach ensures secure communication from external users to the ALB and between the ALB and EC2 instances.

ACM should be used, so A and C are out. Between B and D, B is out because Amazon-issued public cert cannot be installed on EC2 instances. https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb

Option D is the correct solution. To encrypt traffic between external users and the application behind the Application Load Balancer (ALB), a certificate should be imported into AWS Certificate Manager (ACM) and associated with the ALB. The same certificate should also be installed on the EC2 instances. Option A is incorrect because Secrets Manager is used for storing secrets, not SSL/TLS certificates. Option B is incorrect because Amazon-issued ACM certificates can only be used with Elastic Load Balancers and Amazon CloudFront. They cannot be exported and installed on EC2 instances. Option C is incorrect because IAM does not support importing or managing SSL/TLS certificates. Option D uses a third-party certificate imported into ACM, associated with the ALB, and installed on the EC2 instances. This provides complete encryption between the users and application.

Bad question; I think it should be B since AWS always tries to promote and use internal services and not go to third parties. We deploy SSL in ALB terminate and send non-SSL to EC2. In my opinion, the provided answers are incorrect.

CAN'T use an ACM cert on ec2 instance. D is the right answer.

I think it's asking about the key difference btw creating Amazon based Cert versus creating/using 3rd party Certs.... specially on leveraging the feature of 'exporting the Cert' from ACM which looks valid in option B only whereas on other choices, it's not a good fit. I could be wrong but that's what makes me feel to go with option B here..

Kind of a bad question here, so I can't really make a proper decision between B and D.. What certificate is being applied? ALB does not pass encrypted traffic to a target. NLB will do that. you must deploy at least one SSL server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets. You must also specify a security policy, which is used to negotiate secure connections between clients and the load balancer. If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

correct