exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 103 discussion

A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB).

How can a security engineer meet these requirements?

  • A. Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets Manager. Import the certificate into the ALB and the EC2 instances.
  • B. Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the ALExport the certificate from ACM. Install the certificate on the EC2 instances.
  • C. Import a new third-party certificate into AWS Identity and Access Management (IAM). Export the certificate from IAM. Associate the certificate with the ALB and the EC2 instances.
  • D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
AgboolaKun
Highly Voted 1 year ago
Selected Answer: D
Because of the wording of this question, I did not first know which of the options B and D is correct. However, my conviction that you can't directly install Amazon-issued certificates on EC2 instances (refer to - https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb for more information) made me to study a few documentations to be sure D is the correct answer. Please check the Accepted answer in the following thread - https://repost.aws/questions/QUIo7PWvZ3T6aFYCByhZ5f0A/load-certificate-on-alb-and-ec2
upvoted 9 times
...
ginseng
Most Recent 8 months, 2 weeks ago
Selected Answer: D
Q: Can I use certificates on Amazon EC2 instances or on my own servers? You can use private certificates issued with Private CA with EC2 instances, containers, and on your own servers. At this time, public ACM certificates can be used only with specific AWS services, including AWS Nitro Enclaves. See ACM service integrations.
upvoted 3 times
...
vikasj1in
10 months, 3 weeks ago
B. To achieve complete encryption of the traffic between external users and an application hosted on Amazon EC2 instances behind an Application Load Balancer (ALB), you would typically use SSL/TLS encryption. AWS Certificate Manager (ACM) provides a managed service for provisioning and renewing SSL/TLS certificates. Here's how the process works: Create a new Amazon-issued certificate in ACM. Associate the certificate with the ALB. This ensures that the ALB can terminate SSL/TLS connections on behalf of the EC2 instances. Export the certificate from ACM. Install the exported certificate on the EC2 instances. This ensures that the communication between the ALB and EC2 instances is also encrypted. By using ACM, you benefit from the managed certificate service, automated certificate renewal, and easy integration with other AWS services like ALB. This approach ensures secure communication from external users to the ALB and between the ALB and EC2 instances.
upvoted 1 times
...
Daniel76
11 months, 3 weeks ago
Selected Answer: D
ACM should be used, so A and C are out. Between B and D, B is out because Amazon-issued public cert cannot be installed on EC2 instances. https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb
upvoted 1 times
...
azure4life
11 months, 3 weeks ago
Selected Answer: D
Option D is the correct solution. To encrypt traffic between external users and the application behind the Application Load Balancer (ALB), a certificate should be imported into AWS Certificate Manager (ACM) and associated with the ALB. The same certificate should also be installed on the EC2 instances. Option A is incorrect because Secrets Manager is used for storing secrets, not SSL/TLS certificates. Option B is incorrect because Amazon-issued ACM certificates can only be used with Elastic Load Balancers and Amazon CloudFront. They cannot be exported and installed on EC2 instances. Option C is incorrect because IAM does not support importing or managing SSL/TLS certificates. Option D uses a third-party certificate imported into ACM, associated with the ALB, and installed on the EC2 instances. This provides complete encryption between the users and application.
upvoted 3 times
...
Oralinux
12 months ago
Bad question; I think it should be B since AWS always tries to promote and use internal services and not go to third parties. We deploy SSL in ALB terminate and send non-SSL to EC2. In my opinion, the provided answers are incorrect.
upvoted 2 times
...
snowmaggedon
1 year ago
CAN'T use an ACM cert on ec2 instance. D is the right answer.
upvoted 1 times
...
Aamee
1 year ago
Selected Answer: B
I think it's asking about the key difference btw creating Amazon based Cert versus creating/using 3rd party Certs.... specially on leveraging the feature of 'exporting the Cert' from ACM which looks valid in option B only whereas on other choices, it's not a good fit. I could be wrong but that's what makes me feel to go with option B here..
upvoted 1 times
...
[Removed]
1 year ago
Kind of a bad question here, so I can't really make a proper decision between B and D.. What certificate is being applied? ALB does not pass encrypted traffic to a target. NLB will do that. you must deploy at least one SSL server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets. You must also specify a security policy, which is used to negotiate secure connections between clients and the load balancer. If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
upvoted 2 times
...
oioi
1 year ago
Selected Answer: B
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...