AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 15

Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses.
Which step should you take to fix this problem?

Answer options

• A. Generate new SSL certificates for all web servers and replace current certificates.
• B. Change the security policy on the ELB to disable vulnerable protocols and ciphers.
• C. Generate new SSL certificates and use ELB to front-end the encrypted traffic for all web servers.
• D. Leverage your current configuration management system to update SSL policy on all web servers.

Correct answer: D

Explanation

The correct answer is D because updating the SSL policy using a configuration management system ensures that all web servers are consistently configured to disable vulnerable protocols and ciphers. Option A is incorrect as generating new SSL certificates alone does not address the underlying vulnerability. Option B only adjusts the ELB, which could leave web servers exposed, and option C does not resolve the vulnerability at the web server level.