AWS Certified Security – Specialty — Question 53

An organization has a system in AWS that allows a large number of remote workers to submit data files. File sizes vary from a few kilobytes to several megabytes.
A recent audit highlighted a concern that data files are not encrypted while in transit over untrusted networks.
Which solution would remediate the audit finding while minimizing the effort required?

Answer options

• A. Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
• B. Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
• C. Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service's servers.
• D. Create a new VPC with an Amazon VPC VPN endpoint, and update the web service's DNS record.

Correct answer: C

Explanation

The correct answer is C because using AWS Certificate Manager to provision a certificate on an Elastic Load Balancer ensures that data is encrypted in transit with minimal effort. Options A and B involve more complex setups or additional processing that do not directly address the encryption of data in transit as effectively as C. Option D introduces unnecessary complexity with a new VPC and VPN setup.