Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 49 discussion

Amazon-issued public certificates can’t be installed on an EC2 instance. To enable end-to-end encryption, you must use a third-party SSL certificate. https://aws.amazon.com/premiumsupport/knowledge-center/acm-ssl-certificate-ec2-elb/ so it's C or D. I choose C as it's ALB

Vote D. If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

Why option C is correct: End-to-end encryption implies traffic is encrypted both from the client to the load balancer and from the load balancer to the EC2 instances. Application Load Balancers (ALBs) support HTTPS termination at the ALB level using AWS Certificate Manager (ACM) certificates. To encrypt traffic between the ALB and EC2 instances, you must install a separate SSL/TLS certificate directly onto each EC2 instance. AWS Certificate Manager (ACM) certificates cannot be exported or installed directly on EC2 instances; thus, a third-party SSL certificate (such as from Let's Encrypt or a commercial provider) must be used on the EC2 instances themselves.

Please read the question carefully: "end-to-end encryption IN TRANIST"--There is no requirement for TLS termination at the NLB, and uploading the certificate to the NLB would effectively negate this anyway (I think it's thrown in there specifically to show this is the wrong answer). While it's worded poorly, the only good answer is C, which will decrypt and reencrypt traffic at the ALB only, but all traffic traversing the network will be encrypted while IN TRANSIT.

A is not correct because as pitakk mentioned, Amazon-issued public certificates from AWS Certificate Manager (ACM) cannot be directly installed on an EC2 instance. It requires 3rd party certificates. B doesn't make any sense. C is not correct because ALB decrypts the traffic before sending it to the target EC2 instances. D is correct because NLB has TCP pass through. With this, NLB doesn't have to decrypt the traffic before forwarding it to the target instances. Courtesy to Perplexity & DeepSeek.

https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html AWS Certificate Manager (ACM) certificates cannot be directly installed on Amazon EC2 instances, except for those connected to a Nitro Enclave. Therefore my choice is also C.

According to: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it.

end-to-end encryption

I'm leaning closer to D because, NLB supports e2e. I feel that if the question asked about offloading then the ALB options may have been better. But here it's asking for e2e and can only be done with an NLB

D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.

it is D, C is more complex.

To achieve end-to-end encryption for a web application using AWS, place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM) and associate it with the ALB to handle HTTPS traffic from clients to the ALB. Additionally, install a third-party SSL certificate on each EC2 instance to ensure that traffic between the ALB and the instances is also encrypted. Configure the ALB to listen on port 443 and forward traffic to port 443 on the instances. This setup ensures that all data in transit is encrypted from the client through the ALB to the backend EC2 instances, meeting security requirements for end-to-end encryption while leveraging ACM for simplified certificate management   .

The key here is end-to-end, so that rules out ALB. Instead Use NLB with TLS termination which will pass the traffic on encrypted. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#:~:text=The%20load%20balancer%20passes%20the,combination%20of%20protocols%20and%20ciphers.

“To enable END-TO-END encryption, you must procure an SSL certificate from a third-party vendor. You can then install the certificate on the EC2 instance and also associate the SAME certificate with the (network) Load Balancer by importing it into Amazon Certificate Manager.” https://www.youtube.com/watch?v=6Nz0RFfBqVE&t=44s TLS listeners for your Network Load Balancer "… if you need to pass encrypted traffic to the targets without the (network) load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener." https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html P.S. The answer is misleading because it says to install the certificate on the NLB; read it as “import it to ACM and associate it with the NLB.

C is correct because ALB+Self-signed Certification NLB+Public Certification

Selected Answer: A. Public Certificates: You can request Amazon-issued public certificates from ACM. ACM manages the renewal and deployment of public certificates that are used with ACM-integrated services, including Amazon CloudFront, Elastic Load Balancing, and Amazon API Gateway. https://aws.amazon.com/es/certificate-manager/faqs/

C: use ACM in the ALB and third-party SSL certificate in the EC2 instances