AWS Certified Security – Specialty — Question 150

A company wants to deploy a distributed web application on a fleet of EC2 instances. The fleet will be fronted by a Classic Load Balancer that will be configured to terminate the TLS connection. The company wants to make sure that all past and current TLS traffic to the Classic Load Balancer stays secure, even if the certificate private key is leaked.
To ensure the company meets these requirements, a Security Engineer can configure a Classic Load Balancer with:

Answer options

• A. An HTTPS listener that uses a certificate that is managed by Amazon Certification Manager.
• B. An HTTPS listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.
• C. An HTTPS listener that uses the latest AWS predefined ELBSecurityPolicy-TLS-1-2-2017-01 security policy.
• D. A TCP listener that uses a custom security policy that allows only perfect forward secrecy cipher suites.

Correct answer: B

Explanation

The correct answer, B, ensures that the Classic Load Balancer uses a custom security policy that enforces perfect forward secrecy, which protects past and current TLS sessions even if the certificate private key is compromised. Option A does not address the specific security requirements regarding the private key. Option C, while using a predefined policy, may not specifically guarantee perfect forward secrecy. Option D uses a TCP listener, which does not provide the necessary TLS termination required for secure connections.