Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 110 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 110
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.
Which solution would be MOST secure and easy to maintain?

  • A. Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
  • B. Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
  • C. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
  • D. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
BigZ
Highly Voted 3 years, 1 month ago
Answers is C. (same question as #5 topic 2) Setting up ACM Private CA requires a root CA. This can be used to sign a certificate signing request (CSR) for the new subordinate (CA), which is then imported into ACM Private CA. After this is complete, it’s possible for containers within your platform to generate their own key-value pairs at runtime using OpenSSL. They can then use the key-value pairs to make their own CSR and ultimately receive their own certificate. * Option D mentions to user AWS certificate manager to generate private certificates. this is wrong. Containers request "issue-certificate" API call to the ACM PCA and "get-certificate" API call from ACM PCA.
upvoted 23 times
Gustava6272
3 years ago
Agreed C is correct . Just to affirm why D is not right , see the diagram in this link - https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
upvoted 6 times
...
...
luis12345
Highly Voted 3 years, 1 month ago
I think the right answer is D
upvoted 20 times
...
shammous
Most Recent 2 weeks ago
Selected Answer: D
While Option C involves creating private keys inside the containers, which adds complexity and risk regarding key management, Option D leverages AWS services to provide a more streamlined, secure, and maintainable solution.
upvoted 1 times
...
Deyemzy
5 months ago
D Using AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority and then generating private certificates with AWS Certificate Manager for deployment to containers (D) provides a secure and automated approach for certificate management, while creating private keys in the containers and signing them using the ACM PCA API (C) offers a more manual process that can be complex and less secure compared to ACM's automated lifecycle management.
upvoted 1 times
...
Arad
5 months, 3 weeks ago
Selected Answer: D
I believe D is the correct answer, the keyword in the question is "easy to maintain", why D is better than C.
upvoted 1 times
...
Raphaello
9 months ago
Selected Answer: D
Correct answer is D. https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/ You do not sign "private key". Generate private key in the container, then create a CSR for the private CA to issue a certificate to be used by the container after getting it from PCA.
upvoted 1 times
Raphaello
8 months, 3 weeks ago
mTLS is the process of mutual authentication by exchanging and validating certificates.
upvoted 1 times
...
...
Andrii223
1 year, 4 months ago
key word - most secure :)
upvoted 1 times
...
ITGURU51
1 year, 5 months ago
The custom signed object is verified for integrity, and the root CA certificate is used to verify the chain of trust to confirm non-repudiation of the identity that produced the digital signature. As result, answer C is the most secure option.
upvoted 1 times
...
peddyua
1 year, 8 months ago
Selected Answer: D
Request a TLS certificate from ACM for the VPC using the AWS Management Console or the AWS CLI. Store the private key and certificate chain in a Docker container that will act as the server. Store the public key in a Docker container that will act as the client. Configure the server container to use the private key and certificate chain for TLS encryption. Configure the client container to use the public key for TLS encryption. Deploy the server and client containers to the VPC. Configure the security groups for the VPC to allow traffic over the necessary ports for the server and client containers to communicate. Enable mutual TLS authentication between the server and client containers. This can be done by configuring the server container to require client certificates and configuring the client container to provide a client certificate when making requests to the server container. Test the communication between the server and client containers to ensure that it is secure.
upvoted 1 times
...
boooliyooo
1 year, 10 months ago
Selected Answer: D
ACM can generate private certificate & this is an easier approach. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html
upvoted 1 times
epomatti
1 year, 2 months ago
Wrong. Answer is C. You didn't even the read your own link. ACM works alongside PAC. It's even called ACM PAC.
upvoted 1 times
...
...
Fyssy
1 year, 10 months ago
Selected Answer: D
The answer is D. Tried this before. Used AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority. You can either generate the private certificate from CLI using PCA or from console using AWS Certificate Manager
upvoted 2 times
...
sapien45
2 years, 2 months ago
Selected Answer: C
conviced by :https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
upvoted 4 times
...
trongod05
2 years, 5 months ago
The wording on C is odd to me. "then create the private keys in the containers and sign them using the ACM PCA API. Why would sign a private key? You generate a key and the key is used to generate a CSR. The CA issues a signed certificate based on the CSR. In effect you are using AWS Certificate manager to issue (generate) the certificate.
upvoted 2 times
...
leu_alves_sch
2 years, 9 months ago
Selected Answer: C
https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
upvoted 2 times
...
1awssec
3 years ago
D (because the question is "easy to maintain" >> " If you use ACM Private CA to create a CA, ACM can manage certificate issuance from that private CA and automate certificate renewals." ref: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html
upvoted 2 times
...
kiev
3 years ago
C and D a bit confusing but I would plum for C
upvoted 1 times
...
Hungdv
3 years ago
Answer is D. Option C works but it is more complicated than D. https://aws.amazon.com/certificate-manager/faqs/ You can export private certificates from ACM and use them with EC2 instances, containers, on-premises servers, and IoT devices. ACM Private CA automatically renews these certificates and sends an Amazon CloudWatch notification when the renewal is completed. You can write client-side code to download renewed certificates and private keys and deploy them with your application.
upvoted 6 times
johnsm
3 years ago
And that's exactly why they mention "the MOST secure option". Generating the private key in the instances and ensuring the key leaves the instances is the most secure way to do this.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...