AWS Certified Security – Specialty — Question 461

A company hosts an end user application on AWS. Currently, the company deploys the application on Amazon EC2 instances behind an Elastic Load Balancer. The company wants to configure end-to-end encryption between the Elastic Load Balancer and the EC2 instances.

Which solution will meet this requirement with the LEAST operational effort?

Answer options

• A. Use Amazon issued AWS Certificate Manager (ACM) certificates on the EC2 instances and the Elastic Load Balancer to configure end-to-end encryption.
• B. Import a third-party SSL certificate to AWS Certificate Manager (ACM). Install the third-party certificate on the EC2 instances. Associate the ACM imported third-party certificate with the Elastic Load Balancer.
• C. Deploy AWS CloudHSM. Import a third-party certificate. Configure the EC2 instances and the Elastic Load Balancer to use the CloudHSM imported certificate.
• D. Import a third-party certificate bundle to AWS Certificate Manager (ACM). Install the third-party certificate on the EC2 instances. Associate the ACM imported third-party certificate with the Elastic Load Balancer.

Correct answer: B

Explanation

Amazon-issued AWS Certificate Manager (ACM) certificates cannot be downloaded or installed directly on Amazon EC2 instances, which rules out option A. By importing a third-party SSL certificate into ACM, you can bind it to the Elastic Load Balancer and also install the same certificate on the EC2 instances to establish secure, end-to-end encryption. Solutions involving AWS CloudHSM are incorrect as they introduce unnecessary complexity and high operational overhead.