Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 177 discussion

ACM certificates are supported by the following services: • Elastic Load Balancing To serve secure content over SSL/TLS, load balancers require that SSL/TLS certificates be installed on either the load balancer or the back-end Amazon EC2 instance. ACM is integrated with Elastic Load Balancing to deploy ACM certificates on the load balancer. • Amazon CloudFront To use an ACM certificate with CloudFront, make sure you request (or import) the certificate in the US East Region (us-east-1). • Amazon API Gateway With the proliferation of mobile devices and growth of the Internet of Things (IoT), it has become increasingly common to create APIs that can be used to access data and interact with back-end systems on AWS. • AWS Nitro Enclaves EC2 instances connected to Nitro Enclaves support ACM certificates. You cannot associate ACM certificates with an EC2 instance that is not connected to a Nitro Enclave.

D - You can import a certificate for use with ALB, CF, etc. If you need on your EC2 instances, you will need to import to them as well, but they can be used. Do this on a regular basis it seems.

You cannot use ACM's cert between EC2 and ALB.

The debate is between B and D ...(because the question is actually saying that ALB is already used -> NLB is excluded from the beginning) Even if ACM is more easier to use ( i mean you don't need to go to a third party provider) when reading B answer it is saying : "Configure AWS Certificate Manager (ACM) certificates for the communication between the ALB and the EC2 instances." You cannot use ACM for communication between ALB and EC2. Actually in the target group you can specify protocol and port and the instances associated but there is no field where to specify which certificate to use. Also in (B) it is not saying to configure the certificates in EC2 which is wrong as well. The ACM is used for ALB and in the listener part you have the default certificate and the SNIs under certificates tab. Therefore D is the correct answer.

B is correct. D is wrong, because this option involves using a third-party certificate, which adds complexity without providing any clear benefits over using ACM directly for certificate management. Terminating TLS at the ALB and applying the WAF ACL at the ALB level is correct, but the ALB's integration with ACM simplifies the process.

WAF for security and ACM managed certificate for TLS encryptions. B looks fine to me