Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 49 discussion

Amazon-issued public certificates can’t be installed on an EC2 instance. To enable end-to-end encryption, you must use a third-party SSL certificate. https://aws.amazon.com/premiumsupport/knowledge-center/acm-ssl-certificate-ec2-elb/ so it's C or D. I choose C as it's ALB

Vote D. If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

I'm leaning closer to D because, NLB supports e2e. I feel that if the question asked about offloading then the ALB options may have been better. But here it's asking for e2e and can only be done with an NLB

D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.

it is D, C is more complex.

To achieve end-to-end encryption for a web application using AWS, place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM) and associate it with the ALB to handle HTTPS traffic from clients to the ALB. Additionally, install a third-party SSL certificate on each EC2 instance to ensure that traffic between the ALB and the instances is also encrypted. Configure the ALB to listen on port 443 and forward traffic to port 443 on the instances. This setup ensures that all data in transit is encrypted from the client through the ALB to the backend EC2 instances, meeting security requirements for end-to-end encryption while leveraging ACM for simplified certificate management   .

The key here is end-to-end, so that rules out ALB. Instead Use NLB with TLS termination which will pass the traffic on encrypted. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#:~:text=The%20load%20balancer%20passes%20the,combination%20of%20protocols%20and%20ciphers.

“To enable END-TO-END encryption, you must procure an SSL certificate from a third-party vendor. You can then install the certificate on the EC2 instance and also associate the SAME certificate with the (network) Load Balancer by importing it into Amazon Certificate Manager.” https://www.youtube.com/watch?v=6Nz0RFfBqVE&t=44s TLS listeners for your Network Load Balancer "… if you need to pass encrypted traffic to the targets without the (network) load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener." https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html P.S. The answer is misleading because it says to install the certificate on the NLB; read it as “import it to ACM and associate it with the NLB.

C is correct because ALB+Self-signed Certification NLB+Public Certification

Selected Answer: A. Public Certificates: You can request Amazon-issued public certificates from ACM. ACM manages the renewal and deployment of public certificates that are used with ACM-integrated services, including Amazon CloudFront, Elastic Load Balancing, and Amazon API Gateway. https://aws.amazon.com/es/certificate-manager/faqs/

C: use ACM in the ALB and third-party SSL certificate in the EC2 instances

The only solution that encrypts all the way is D.

The different opinions are mainly on C or D. Both C and D are good for end to end encryption “in transit”. But actually the data is unencrypted on the ALB, and then encrypted again. Technically speaking, the ALB should be considered as part of the “transit”. This is a flaw of C. And it is complicated to introduce another certificate. The flaws of answer D are: - mentioning installing SSL certificate to the NLB, which is not necessary. - It doesn’t mention which listener is used. TLS listener does SSL termination while TCP listener does not.

https://aws.amazon.com/blogs/aws/mutual-authentication-for-application-load-balancer-to-reliably-verify-certificate-based-client-identities/

Not A. You cannot export ACM certificate https://repost.aws/knowledge-center/configure-acm-certificates-ec2 Not B. You cannot set CloudFront to use the target group as the origin server, you need to set the ELB the target group is assigned Not C. This terminates SSL in the load balancer and then re-encrypt, while the question asks for end-to-end encryption in transit between the client and the web server. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html NLB configured with TCP listener on port 443 is the right option. This answer is misleading as it mention to install the SSL certificate on the NLB, this is not needed if you do not use a TLS listener.

D would be fine transport level security. No need any encrypt and decrypt.

Application Load Balancers do not support mutual TLS authentication (mTLS). For mTLS support, create a TCP listener using a Network Load Balancer or a Classic Load Balancer and implement mTLS on the target. Ref: 4th paragraph of https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html