AWS Certified Security – Specialty — Question 474

A company is ready to deploy a public web application. The company will use AWS and will host the application on an Amazon EC2 instance. The company must use SSL/TLS encryption. The company is already using AWS Certificate Manager (ACM) and will export a certificate for use with the deployment.

How can a security engineer deploy the application to meet these requirements?

Answer options

• A. Put the EC2 instance behind an Application Load Balancer (ALB). In the EC2 console, associate the certificate with the ALB by choosing HTTPS and 443.
• B. Put the EC2 instance behind a Network Load Balancer. Associate the certificate with the EC2 instance.
• C. Put the EC2 instance behind a Network Load Balancer (NLB). In the EC2 console, associate the certificate with the NLB by choosing HTTPS and 443.
• D. Put the EC2 instance behind an Application Load Balancer. Associate the certificate with the EC2 instance.

Correct answer: A

Explanation

Public certificates generated by AWS Certificate Manager (ACM) cannot be exported directly to EC2 instances, which rules out options B and D. An Application Load Balancer (ALB) natively integrates with ACM certificates and supports HTTPS listeners on port 443 to offload SSL/TLS decryption. Network Load Balancers (NLB) support TLS listeners but do not support the HTTPS application-layer protocol directly, making the ALB configuration the correct solution.