ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 121 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 121
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has a few dozen application servers in private subnets behind an Elastic Load Balancer (ELB) in an AWS Auto Scaling group. The application is accessed from the web over HTTPS. The data must always be encrypted in transit. The Security Engineer is worried about potential key exposure due to vulnerabilities in the application software.
Which approach will meet these requirements while protecting the external certificate during a breach?

  • A. Use a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances.
  • B. Purchase an external certificate, and upload it to the AWS Certificate Manager (for use with the ELB) and to the instances. Have the ELB decrypt traffic, and route and re-encrypt with the same certificate.
  • C. Generate an internal self-signed certificate and apply it to the instances. Use AWS Certificate Manager to generate a new external certificate for the ELB. Have the ELB decrypt traffic, and route and re-encrypt with the internal certificate.
  • D. Upload a new external certificate to the load balancer. Have the ELB decrypt the traffic and forward it on port 80 to the instances.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by simplimarvelous at March 21, 2020, 10:20 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
simplimarvelous
Highly Voted 3 years, 7 months ago
While not the most Ideal solution, C will protect the certificate installed on the ELB, if both the elb and server used the same cert, a breach of the application would allow possible export of the certificate and key pair, using a self signed cert between the elb and server would only expose the self signed cert and keep the external communication between viewers and the ELB safe since they use the external cert
upvoted 24 times
...
donathon
Highly Voted 3 years, 7 months ago
C A: This would not help because they are only using a single certificate. B: Should use different certificate. D: Not encrypted always.
upvoted 11 times
...
Raphaello
Most Recent 1 year, 2 months ago
Selected Answer: C
The answer is C The comment that says "if both elb and server used the same cert", clearly missed the "INTERNAL CERT" part. There 2 distinct certs, one external on ELB, and an internal on the instance, to ensure end to end encryption.
upvoted 1 times
...
lydix
1 year, 6 months ago
Answer A: using a NLB with TCP listener
upvoted 2 times
...
Ernestokoro
1 year, 7 months ago
Guys Ans is A: Look at what AWS has to say: To use a TLS listener, you must deploy at least one server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then to decrypt requests from clients before sending them to the targets. Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
upvoted 1 times
...
diego1984
1 year, 10 months ago
Selected Answer: A
A. Using a Network Load Balancer (NLB) to pass through traffic on port 443 from the internet to port 443 on the instances is the most suitable approach in this scenario. NLB operates at the transport layer (Layer 4) and allows for direct forwarding of traffic to the instances without terminating the SSL/TLS connection at the load balancer. This means that the SSL/TLS encryption and decryption are handled by the application servers themselves, reducing the exposure of the external certificate. By using this approach, the SSL/TLS encryption remains intact between the client and the application servers, protecting the data in transit.
upvoted 1 times
...
ITGURU51
2 years ago
C is the best answer because AWS recommends using AWS Certificate Manager to create or import certificates to the Elastic Load Balancer.
upvoted 2 times
...
AdamWest
2 years, 5 months ago
Selected Answer: C
Answer is C
upvoted 2 times
ITGURU51
1 year, 11 months ago
Since the question states that all traffic must be encrypted in traffic C is the only viable solution. In addition the applications between the ELB must also be configured to use certificates for encryption.
upvoted 1 times
...
...
IMAHM
3 years, 5 months ago
Answer C
upvoted 1 times
...
uduma
3 years, 6 months ago
NLB with a combination of port 443 , that ensures secured HTTPS traffic . I think A
upvoted 1 times
...
PatrykMilewski
3 years, 6 months ago
Answer C
upvoted 2 times
...
kj07
3 years, 6 months ago
Answer: C the key where is protect the external certificate. Duplicated question.
upvoted 2 times
...
gfhbox0083
3 years, 7 months ago
C, for sure
upvoted 2 times
...
Name1937122
3 years, 7 months ago
answer: c
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago