Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 49 discussion

A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances. One of the security requirements is to enable end-to-end encryption in transit between the client and the web server.

Which solution will meet this requirement?

  • A. Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Export the SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
  • B. Associate the EC2 instances with a target group. Provision an SSL certificate using AWS Certificate Manager (ACM). Create an Amazon CloudFront distribution and configure it to use the SSL certificate. Set CloudFront to use the target group as the origin server.
  • C. Place the EC2 instances behind an Application Load Balancer (ALB) Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Provision a third-party SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
  • D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
pitakk
Highly Voted 1 year, 10 months ago
Selected Answer: C
Amazon-issued public certificates can’t be installed on an EC2 instance. To enable end-to-end encryption, you must use a third-party SSL certificate. https://aws.amazon.com/premiumsupport/knowledge-center/acm-ssl-certificate-ec2-elb/ so it's C or D. I choose C as it's ALB
upvoted 46 times
_Jassybanga_
9 months, 1 week ago
in C , the encryption will terminate at ALB so its not an end-2-end encryption , for e2e end encryption need NLB
upvoted 3 times
...
hobokabobo
1 year, 8 months ago
correct, but then you would use that ordered certificate for the alb as well. The other reason to order certificates is because some clients cannot verify ACM certificates which is not acceptable for a productive public service. Between ALB and EC2 a self signed certificate is sufficient as alb does no verification of the EC2's certificate at all.
upvoted 2 times
bjexamprep
7 months, 3 weeks ago
that means you are decrypting the data on ALB and encrypt it again to send it to EC2. Does that sound E2E?
upvoted 5 times
...
...
...
Untamables
Highly Voted 1 year, 10 months ago
Selected Answer: D
Vote D. If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
upvoted 38 times
hobokabobo
1 year, 8 months ago
coorect. but they want to upload the the certificate to the NLB for unknown reasons.
upvoted 6 times
...
Arnaud92
1 year, 8 months ago
You can use NLB with ACM cert on it. NLB can do TLS termination (https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/) and re-encrypt to target
upvoted 2 times
...
lkyixoayffasdrlaqd
1 year, 8 months ago
how can this be true? Option D says to install on NLB. You say bypass the NLB. If you bypass the NLB why are you installing the cert?
upvoted 12 times
...
...
AWSum1
Most Recent 2 months, 1 week ago
Selected Answer: D
I'm leaning closer to D because, NLB supports e2e. I feel that if the question asked about offloading then the ALB options may have been better. But here it's asking for e2e and can only be done with an NLB
upvoted 2 times
...
amministrazione
2 months, 3 weeks ago
D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.
upvoted 1 times
...
toma
4 months ago
it is D, C is more complex.
upvoted 1 times
...
higashikumi
6 months ago
Selected Answer: C
To achieve end-to-end encryption for a web application using AWS, place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM) and associate it with the ALB to handle HTTPS traffic from clients to the ALB. Additionally, install a third-party SSL certificate on each EC2 instance to ensure that traffic between the ALB and the instances is also encrypted. Configure the ALB to listen on port 443 and forward traffic to port 443 on the instances. This setup ensures that all data in transit is encrypted from the client through the ALB to the backend EC2 instances, meeting security requirements for end-to-end encryption while leveraging ACM for simplified certificate management   .
upvoted 1 times
...
Malcnorth59
6 months ago
Selected Answer: D
The key here is end-to-end, so that rules out ALB. Instead Use NLB with TLS termination which will pass the traffic on encrypted. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#:~:text=The%20load%20balancer%20passes%20the,combination%20of%20protocols%20and%20ciphers.
upvoted 1 times
...
titi_r
6 months ago
Selected Answer: D
“To enable END-TO-END encryption, you must procure an SSL certificate from a third-party vendor. You can then install the certificate on the EC2 instance and also associate the SAME certificate with the (network) Load Balancer by importing it into Amazon Certificate Manager.” https://www.youtube.com/watch?v=6Nz0RFfBqVE&t=44s TLS listeners for your Network Load Balancer "… if you need to pass encrypted traffic to the targets without the (network) load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener." https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html P.S. The answer is misleading because it says to install the certificate on the NLB; read it as “import it to ACM and associate it with the NLB.
upvoted 2 times
...
vip2
6 months, 1 week ago
Selected Answer: C
C is correct because ALB+Self-signed Certification NLB+Public Certification
upvoted 1 times
...
EmmanuelPR
8 months ago
Selected Answer: A. Public Certificates: You can request Amazon-issued public certificates from ACM. ACM manages the renewal and deployment of public certificates that are used with ACM-integrated services, including Amazon CloudFront, Elastic Load Balancing, and Amazon API Gateway. https://aws.amazon.com/es/certificate-manager/faqs/
upvoted 2 times
...
gofavad926
8 months, 1 week ago
Selected Answer: C
C: use ACM in the ALB and third-party SSL certificate in the EC2 instances
upvoted 2 times
...
Dgix
8 months, 2 weeks ago
Selected Answer: D
The only solution that encrypts all the way is D.
upvoted 1 times
...
bjexamprep
8 months, 2 weeks ago
Selected Answer: D
The different opinions are mainly on C or D. Both C and D are good for end to end encryption “in transit”. But actually the data is unencrypted on the ALB, and then encrypted again. Technically speaking, the ALB should be considered as part of the “transit”. This is a flaw of C. And it is complicated to introduce another certificate. The flaws of answer D are: - mentioning installing SSL certificate to the NLB, which is not necessary. - It doesn’t mention which listener is used. TLS listener does SSL termination while TCP listener does not.
upvoted 1 times
...
marszalekm
8 months, 4 weeks ago
https://aws.amazon.com/blogs/aws/mutual-authentication-for-application-load-balancer-to-reliably-verify-certificate-based-client-identities/
upvoted 2 times
...
ninomfr64
10 months, 3 weeks ago
Selected Answer: D
Not A. You cannot export ACM certificate https://repost.aws/knowledge-center/configure-acm-certificates-ec2 Not B. You cannot set CloudFront to use the target group as the origin server, you need to set the ELB the target group is assigned Not C. This terminates SSL in the load balancer and then re-encrypt, while the question asks for end-to-end encryption in transit between the client and the web server. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html NLB configured with TCP listener on port 443 is the right option. This answer is misleading as it mention to install the SSL certificate on the NLB, this is not needed if you do not use a TLS listener.
upvoted 2 times
...
subbupro
11 months, 3 weeks ago
D would be fine transport level security. No need any encrypt and decrypt.
upvoted 1 times
...
sonyaws
12 months ago
Selected Answer: D
Application Load Balancers do not support mutual TLS authentication (mTLS). For mTLS support, create a TCP listener using a Network Load Balancer or a Classic Load Balancer and implement mTLS on the target. Ref: 4th paragraph of https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...