ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 2 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 2
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entitled to login to instances as well as making API calls and the security officers who will maintain and have exclusive access to the application's X.509 certificate that contains the private key.

  • A. Upload the certificate on an S3 bucket owned by the security officers and accessible only by EC2 Role of the web servers.
  • B. Configure the web servers to retrieve the certificate upon boot from an CloudHSM is managed by the security officers.
  • C. Configure system permissions on the web servers to restrict access to the certificate only to the authority security officers
  • D. Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by cpt at Sept. 16, 2019, 7:26 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hcchou
Highly Voted 3 years, 4 months ago
Here is the full text of Option D D. Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
upvoted 20 times
...
cpt
Highly Voted 3 years, 4 months ago
I believe it would have been helpfully to explain that "terminate" means to terminate the SSL/TLS session before reaching the EC2 instance. This could be done by an Loadbalancer which is only accessible to the Security team.
upvoted 13 times
nitinz
3 years, 3 months ago
B is a distraction, why? because HSM can be used to offload SSL but not to download the X509 at boot time :-) Picture speaks 1000 words, check the picture on https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-overview.html and things will make sense. D makes full sense. Terminate SSL/TLS connection on ELB and from there use HTTP. I have done this many times with legacy apps which could not support latest TLS. Flow is like this Client (HTTPS) --> (HTTPS) LBL (HTTP) ---> Web Server. For this question answer is D.
upvoted 10 times
...
...
Danilus
Most Recent 1 day, 5 hours ago
Selected Answer: D
Key words: separation of roles Correct answer: D Why not A? Because EC2 administrators can access the S3 bucket and retrieve the certificate. Why not B? CloudHSM is for cryptographic operations, not for distributing certificates to EC2 instances. Why D is the best option? It uses IAM policies to ensure only security officers can access the certificate, while SSL termination is handled by the ELB, effectively separating the roles.
upvoted 1 times
...
[Removed]
5 months, 1 week ago
D is correct answer.
upvoted 11 times
...
amministrazione
5 months, 3 weeks ago
D. Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
upvoted 1 times
...
hatanaoki
8 months, 2 weeks ago
Selected Answer: D
The correct answer to this question is definitely D. I broke up with my girlfriend. It is hard. I am already 36 years old.
upvoted 1 times
...
yd_h
1 year, 5 months ago
Selected Answer: D
A -> Since admins have access to the EC2 instance and can invoke API actions from there, they might be able to access the S3 bucket that holds the certificate. D -> When we configure SSL/TLS at the ELB level, admins have no access to the certificates as they are not configured at the instance level.
upvoted 2 times
...
gameoflove
1 year, 11 months ago
Selected Answer: D
I believe AWS Certificate manager access would be best answer however as this was missing next possible answer is D only
upvoted 1 times
...
TigerInTheCloud
2 years, 2 months ago
No correct answer, but D is the possible choice. The administrators entitled to login to instances are excluded from accessing the certificate means the certificate should not be loaded into EC2. So A, B, and C are wrong. However, there is no Certificate Store but Certificate Manager.
upvoted 2 times
...
rochester
2 years, 5 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
Akhil254
3 years, 3 months ago
D Correct
upvoted 1 times
...
anandbabu
3 years, 3 months ago
D is correct
upvoted 1 times
...
01037
3 years, 3 months ago
D I'll go for D.
upvoted 1 times
...
cldy
3 years, 3 months ago
D. Correct - this provides separation of roles. plz remember CloudHSM can store the private key of the Cert but not the Cert itself!
upvoted 3 times
...
RedKane
3 years, 3 months ago
This question is not valid. It ends with "...have exclusive access to the applications X.509 certificate that contains the private key." X.509 certificate do not contain private keys, only public keys.
upvoted 1 times
...
qkhanhpro
3 years, 3 months ago
So far Cloud HSM does not support X509 yet https://forums.aws.amazon.com/thread.jspa?threadID=264969
upvoted 1 times
...
ChauPhan
3 years, 3 months ago
X.509 certificate is SSL Web Certification. It is not a KMS or CloudHSM encrypted key. So D is correct
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago