exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 49 discussion

A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances. One of the security requirements is to enable end-to-end encryption in transit between the client and the web server.

Which solution will meet this requirement?

  • A. Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Export the SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
  • B. Associate the EC2 instances with a target group. Provision an SSL certificate using AWS Certificate Manager (ACM). Create an Amazon CloudFront distribution and configure it to use the SSL certificate. Set CloudFront to use the target group as the origin server.
  • C. Place the EC2 instances behind an Application Load Balancer (ALB) Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Provision a third-party SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
  • D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
pitakk
Highly Voted 2 years, 2 months ago
Selected Answer: C
Amazon-issued public certificates can’t be installed on an EC2 instance. To enable end-to-end encryption, you must use a third-party SSL certificate. https://aws.amazon.com/premiumsupport/knowledge-center/acm-ssl-certificate-ec2-elb/ so it's C or D. I choose C as it's ALB
upvoted 48 times
_Jassybanga_
1 year, 1 month ago
in C , the encryption will terminate at ALB so its not an end-2-end encryption , for e2e end encryption need NLB
upvoted 3 times
...
hobokabobo
2 years, 1 month ago
correct, but then you would use that ordered certificate for the alb as well. The other reason to order certificates is because some clients cannot verify ACM certificates which is not acceptable for a productive public service. Between ALB and EC2 a self signed certificate is sufficient as alb does no verification of the EC2's certificate at all.
upvoted 2 times
bjexamprep
12 months ago
that means you are decrypting the data on ALB and encrypt it again to send it to EC2. Does that sound E2E?
upvoted 5 times
...
...
...
Untamables
Highly Voted 2 years, 2 months ago
Selected Answer: D
Vote D. If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
upvoted 41 times
hobokabobo
2 years, 1 month ago
coorect. but they want to upload the the certificate to the NLB for unknown reasons.
upvoted 6 times
...
Arnaud92
2 years ago
You can use NLB with ACM cert on it. NLB can do TLS termination (https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/) and re-encrypt to target
upvoted 2 times
...
lkyixoayffasdrlaqd
2 years, 1 month ago
how can this be true? Option D says to install on NLB. You say bypass the NLB. If you bypass the NLB why are you installing the cert?
upvoted 12 times
...
...
Trap_D0_r
Most Recent 1 month ago
Selected Answer: C
Please read the question carefully: "end-to-end encryption IN TRANIST"--There is no requirement for TLS termination at the NLB, and uploading the certificate to the NLB would effectively negate this anyway (I think it's thrown in there specifically to show this is the wrong answer). While it's worded poorly, the only good answer is C, which will decrypt and reencrypt traffic at the ALB only, but all traffic traversing the network will be encrypted while IN TRANSIT.
upvoted 1 times
...
uffd
1 month, 1 week ago
Selected Answer: D
A is not correct because as pitakk mentioned, Amazon-issued public certificates from AWS Certificate Manager (ACM) cannot be directly installed on an EC2 instance. It requires 3rd party certificates. B doesn't make any sense. C is not correct because ALB decrypts the traffic before sending it to the target EC2 instances. D is correct because NLB has TCP pass through. With this, NLB doesn't have to decrypt the traffic before forwarding it to the target instances. Courtesy to Perplexity & DeepSeek.
upvoted 1 times
...
attila9778
3 months, 3 weeks ago
Selected Answer: C
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html AWS Certificate Manager (ACM) certificates cannot be directly installed on Amazon EC2 instances, except for those connected to a Nitro Enclave. Therefore my choice is also C.
upvoted 1 times
Heman31in
3 months, 3 weeks ago
from your link : You cannot associate ACM certificates with an EC2 instance that is not connected to a Nitro Enclave. this is for Nitro case . Also : ACM is integrated with Elastic Load Balancing to deploy ACM certificates on the load balancer. For more information, so Answer is A .
upvoted 1 times
...
...
sergza
3 months, 3 weeks ago
Selected Answer: D
According to: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it.
upvoted 2 times
...
henrikhmkhitaryan59
4 months ago
Selected Answer: D
end-to-end encryption
upvoted 2 times
...
AWSum1
6 months, 2 weeks ago
Selected Answer: D
I'm leaning closer to D because, NLB supports e2e. I feel that if the question asked about offloading then the ALB options may have been better. But here it's asking for e2e and can only be done with an NLB
upvoted 3 times
...
amministrazione
7 months ago
D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.
upvoted 1 times
...
toma
8 months, 1 week ago
it is D, C is more complex.
upvoted 1 times
...
higashikumi
10 months, 1 week ago
Selected Answer: C
To achieve end-to-end encryption for a web application using AWS, place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM) and associate it with the ALB to handle HTTPS traffic from clients to the ALB. Additionally, install a third-party SSL certificate on each EC2 instance to ensure that traffic between the ALB and the instances is also encrypted. Configure the ALB to listen on port 443 and forward traffic to port 443 on the instances. This setup ensures that all data in transit is encrypted from the client through the ALB to the backend EC2 instances, meeting security requirements for end-to-end encryption while leveraging ACM for simplified certificate management   .
upvoted 1 times
...
Malcnorth59
10 months, 1 week ago
Selected Answer: D
The key here is end-to-end, so that rules out ALB. Instead Use NLB with TLS termination which will pass the traffic on encrypted. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#:~:text=The%20load%20balancer%20passes%20the,combination%20of%20protocols%20and%20ciphers.
upvoted 2 times
...
titi_r
10 months, 2 weeks ago
Selected Answer: D
“To enable END-TO-END encryption, you must procure an SSL certificate from a third-party vendor. You can then install the certificate on the EC2 instance and also associate the SAME certificate with the (network) Load Balancer by importing it into Amazon Certificate Manager.” https://www.youtube.com/watch?v=6Nz0RFfBqVE&t=44s TLS listeners for your Network Load Balancer "… if you need to pass encrypted traffic to the targets without the (network) load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener." https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html P.S. The answer is misleading because it says to install the certificate on the NLB; read it as “import it to ACM and associate it with the NLB.
upvoted 3 times
...
vip2
10 months, 2 weeks ago
Selected Answer: C
C is correct because ALB+Self-signed Certification NLB+Public Certification
upvoted 1 times
...
EmmanuelPR
1 year ago
Selected Answer: A. Public Certificates: You can request Amazon-issued public certificates from ACM. ACM manages the renewal and deployment of public certificates that are used with ACM-integrated services, including Amazon CloudFront, Elastic Load Balancing, and Amazon API Gateway. https://aws.amazon.com/es/certificate-manager/faqs/
upvoted 2 times
...
gofavad926
1 year ago
Selected Answer: C
C: use ACM in the ALB and third-party SSL certificate in the EC2 instances
upvoted 2 times
...
Dgix
1 year ago
Selected Answer: D
The only solution that encrypts all the way is D.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago