AWS Certified Security – Specialty (SCS-C02) — Question 100

A company needs complete encryption of the traffic between external users and an application. The company hosts the application on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB).

How can a security engineer meet these requirements?

Answer options

• A. Create a new Amazon-issued certificate in AWS Secrets Manager. Export the certificate from Secrets Manager. Import the certificate into the ALB and the EC2 instances.
• B. Create a new Amazon-issued certificate in AWS Certificate Manager (ACM). Associate the certificate with the ALExport the certificate from ACM. Install the certificate on the EC2 instances.
• C. Import a new third-party certificate into AWS Identity and Access Management (IAM). Export the certificate from IAM. Associate the certificate with the ALB and the EC2 instances.
• D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances.

Correct answer: D

Explanation

The correct answer is D because importing a third-party certificate into AWS Certificate Manager (ACM) allows it to be easily associated with the ALB for HTTPS traffic, while also enabling installation on the EC2 instances for end-to-end encryption. Option A is incorrect as AWS Secrets Manager is not meant for managing certificates in this context. Option B is wrong since Amazon-issued certificates cannot be installed directly on EC2 instances in the same way as third-party certificates. Option C misuses AWS Identity and Access Management (IAM), which is not designed for certificate management in this scenario.