Exam AWS Certified Security - Specialty topic 1 question 160 discussion

This is a tough one. The real solution depends on how the agent works, it might require clear text network traffic. To decode TLS encrypted network traffic itself it will need the certificate and private key, and perfect forward secrecy would prevent that working even if it did. So in context I think C is the most likely answer, though it might be B in practice. A - ALB can't do this D - this is not good practice and the agent on the instance won't be able to decode PFS.

B. The Question does not say whether Third Party IPS should be able to decrypt the traffic. If it can't, it will affect the HIPS detection as it could not see the package content. The question do state that the change should not affect the assurance of third party HIPS.

C is the preferred answer, to have end-to-end encryption assuming that HIDS can work with TLS decryption. But B is not wrong. Connect to origin server (internally) over HTTP is acceptable in many cases, unless there is a mandate not to.

Modern day HIDS has the ability to decrypt TLS sessions therefore C is the most secure option. In addition enabling PFS will enhance security by addressing privacy concerns. To begin using Perfect Forward Secrecy, configure your load balancer with the newly added Elliptic Curve Cryptography (ECDHE) cipher suites. Most major browsers now support these newer and more secure cipher suites. Our next feature enables your load balancer to prefer using these stronger cipher suites for communication. C

C is Correct

Also, ALB is to terminate the SSL connection between Client and ALB. Not ALB to EC2. I don't find the answer here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies

Where is this decribed in aws docs? I don't find it here about PFS and when it should be enabled with ECDHE or when it should not. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies

honestly A seemed the right one for me ALB supports TLS now? https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/#:~:text=When%20a%20browser%20connects%20to,to%20establish%20a%20secure%20connection.

C: ECDHE with PFS between client and ALB for best protection. ALB to EC2 w/o PFS so HIPS will be able to decrypt TLS and inspect encrypted data.

One of the advantages of Host-based solution is that they can cached some of the issues the Network based solution could not as the traffic passed there encrypted. Their detection activities are taking place in the host memory on unencrypted traffic. 1) From Load Balancer, to the server the traffic is encrypted using at the LB level the ECDHE cipher. There is no PFS enabled 2) then the Host-based appliance (HIDS) takes it from there. 3) the traffic is encrypted between LB and server, ensuring privacy (requirement) This corresponds to the scenario in C.

My answer is C: Question ask for most secure way privacy enhancing technologies for users = ECDHE (already include PFS) + end2end encryption

I think B is answer because the question doesn't mention that encrypted data can be decrypted at HIPS.

according to the below, i think it is C https://medium.com/cloud-security/ids-and-ips-in-the-cloud-f07aac110d31 One of the benefits of host-based solutions is that they can inspect data that may be encrypted as it passes over the network, making it hard for network-based solutions to inspect the traffic. A host-based solution can inspect data in system memory at the points it is unencrypted. It also may have other insights that network solutions cannot see or may miss in tricky attacks when the host reassembles all the packets. Host-based solutions are also highly beneficial in preventing hosts from talking to each other that should not be if network security fails for some reason.

2 independent nuggets are important for answering this one: (1) 3rd party IDS software cannot work on encrypted traffic - this is a well known limitation of IDS. Because of this, the traffic between ALB and EC2 CANNOT BE ENCRYPTED (2) Whenever the question talks about enhancing privacy or encryption, chances are it is leaning towards use of PFS, and one glance at how many time ECDHE and PFS are mentioned tells us that it needs PFS between end-user and ALB, so we must enable ECDHE at the ALB. Combine these two facts together and there is only one answer that emerges: B

A is best answer

C HIDS inspects data in memory.

A - most secure