AWS Certified Security – Specialty — Question 396

A company has an application that processes personally identifiable information (PII). The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company’s security policies require that data is encrypted in transit at all times to avoid the possibility of exposing any PII in plaintext.

Which solutions could a security engineer use to meet these requirements? (Choose two.)

Answer options

• A. Terminate SSL from clients on the existing ALB. Use HTTPS to connect from the ALB to the EC2 instances.
• B. Replace the existing ALB with a Network Load Balancer (NLB). On the NLB, configure an SSL listener and TCP passthrough to receive client connections. Terminate HTTPS traffic from the NLB on the EC2 instances.
• C. Replace the existing ALB with a Network Load Balancer (NLB). On the NLB, configure TCP passthrough to receive client connections. Terminate SSL from the NLB on the EC2 instances.
• D. Configure a Network Load Balancer (NLB) with TCP passthrough to receive client connections. Terminate SSL on the existing ALB.
• E. Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections. Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances. Terminate SSL from the ALB on the EC2 instances.

Correct answer: A, C

Explanation

Option A meets the end-to-end encryption requirement by terminating the client-side SSL connection at the ALB and establishing a new encrypted HTTPS connection from the ALB to the EC2 instances. Option C also satisfies the requirement by using an NLB with TCP passthrough, which allows the encrypted traffic to pass through untouched and terminate directly on the EC2 instances. Other options are incorrect because they either present invalid configuration combinations or fail to secure the entire transit path.