A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC. Which solution would be MOST secure and easy to maintain?
A.
Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
B.
Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
C.
Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
D.
Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.
Answers is C. (same question as #5 topic 2)
Setting up ACM Private CA requires a root CA. This can be used to sign a certificate signing request (CSR) for the new subordinate (CA), which is then imported into ACM Private CA. After this is complete, it’s possible for containers within your platform to generate their own key-value pairs at runtime using OpenSSL. They can then use the key-value pairs to make their own CSR and ultimately receive their own certificate.
* Option D mentions to user AWS certificate manager to generate private certificates. this is wrong. Containers request "issue-certificate" API call to the ACM PCA and "get-certificate" API call from ACM PCA.
Agreed C is correct . Just to affirm why D is not right , see the diagram in this link - https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
While Option C involves creating private keys inside the containers, which adds complexity and risk regarding key management, Option D leverages AWS services to provide a more streamlined, secure, and maintainable solution.
D
Using AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority and then generating private certificates with AWS Certificate Manager for deployment to containers (D) provides a secure and automated approach for certificate management, while creating private keys in the containers and signing them using the ACM PCA API (C) offers a more manual process that can be complex and less secure compared to ACM's automated lifecycle management.
Correct answer is D.
https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
You do not sign "private key".
Generate private key in the container, then create a CSR for the private CA to issue a certificate to be used by the container after getting it from PCA.
The custom signed object is verified for integrity, and the root CA certificate is used to verify the chain of trust to confirm non-repudiation of the identity that produced the digital signature. As result, answer C is the most secure option.
Request a TLS certificate from ACM for the VPC using the AWS Management Console or the AWS CLI.
Store the private key and certificate chain in a Docker container that will act as the server.
Store the public key in a Docker container that will act as the client.
Configure the server container to use the private key and certificate chain for TLS encryption.
Configure the client container to use the public key for TLS encryption.
Deploy the server and client containers to the VPC.
Configure the security groups for the VPC to allow traffic over the necessary ports for the server and client containers to communicate.
Enable mutual TLS authentication between the server and client containers. This can be done by configuring the server container to require client certificates and configuring the client container to provide a client certificate when making requests to the server container.
Test the communication between the server and client containers to ensure that it is secure.
The answer is D. Tried this before. Used AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority. You can either generate the private certificate from CLI using PCA or from console using AWS Certificate Manager
conviced by :https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
The wording on C is odd to me. "then create the private keys in the containers and sign them using the ACM PCA API.
Why would sign a private key? You generate a key and the key is used to generate a CSR. The CA issues a signed certificate based on the CSR. In effect you are using AWS Certificate manager to issue (generate) the certificate.
D (because the question is "easy to maintain" >> " If you use ACM Private CA to create a CA, ACM can manage certificate issuance from that private CA and automate certificate renewals." ref: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html
Answer is D.
Option C works but it is more complicated than D.
https://aws.amazon.com/certificate-manager/faqs/
You can export private certificates from ACM and use them with EC2 instances, containers, on-premises servers, and IoT devices. ACM Private CA automatically renews these certificates and sends an Amazon CloudWatch notification when the renewal is completed. You can write client-side code to download renewed certificates and private keys and deploy them with your application.
And that's exactly why they mention "the MOST secure option". Generating the private key in the instances and ensuring the key leaves the instances is the most secure way to do this.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
BigZ
Highly Voted 3 years, 1 month agoGustava6272
3 years agoluis12345
Highly Voted 3 years, 1 month agoshammous
Most Recent 2 weeks agoDeyemzy
5 months agoArad
5 months, 3 weeks agoRaphaello
9 months agoRaphaello
8 months, 3 weeks agoAndrii223
1 year, 4 months agoITGURU51
1 year, 5 months agopeddyua
1 year, 8 months agoboooliyooo
1 year, 10 months agoepomatti
1 year, 2 months agoFyssy
1 year, 10 months agosapien45
2 years, 2 months agotrongod05
2 years, 5 months agoleu_alves_sch
2 years, 9 months ago1awssec
3 years agokiev
3 years agoHungdv
3 years agojohnsm
3 years ago