AWS Certified Security – Specialty — Question 103

A company's architecture requires that its three Amazon EC2 instances run behind an Application Load Balancer (ALB). The EC2 instances transmit sensitive data between each other. Developers use SSL certificates to encrypt the traffic between the public users and the ALB. However, the Developers are unsure of how to encrypt the data in transit between the ALB and the EC2 instances and the traffic between the EC2 instances.
Which combination of activities must the company implement to meet its encryption requirements? (Choose two.)

Answer options

• A. Configure SSL/TLS on the EC2 instances and configure the ALB target group to use HTTPS.
• B. Ensure that all resources are in the same VPC so the default encryption provided by the VPC is used to encrypt the traffic between the EC2 instances.
• C. In the ALB, select the default encryption to encrypt the traffic between the ALB and the EC2 instances.
• D. In the code for the application, include a cryptography library and encrypt the data before sending it between the EC2 instances.
• E. Configure AWS Direct Connect to provide an encrypted tunnel between the EC2 instances.

Correct answer: A, D

Explanation

The correct answer is A and D. Configuring SSL/TLS on the EC2 instances and the ALB target group to use HTTPS ensures that the data is encrypted during transit. Additionally, incorporating a cryptography library in the application code allows for encryption of the data exchanged between the EC2 instances. Options B and C do not provide sufficient security, as VPC encryption does not apply to EC2-to-EC2 traffic, and the ALB does not have a default encryption setting for this scenario. Option E is not relevant because AWS Direct Connect is primarily used for establishing a dedicated network connection, not for encrypting traffic between EC2 instances.