AWS Certified Security – Specialty — Question 481

Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB). Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host. The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.
What is the MOST secure way to meet these requirements?

Answer options

• A. Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.
• B. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.
• C. Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).
• D. Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Correct answer: C

Explanation

To ensure user privacy, the external connection to the ALB should use Elliptic Curve Diffie-Hellman (ECDHE) to support Perfect Forward Secrecy (PFS). For the HIDS agents on the EC2 instances to inspect the traffic, the backend connection from the ALB to the instances must be decryptable, which requires using encrypted connections without PFS (such as static RSA keys) so the HIDS can decrypt the packets. Option A is incorrect because the ALB does not support TLS pass-through, and Option B is insecure because it transmits backend traffic in plaintext.