AWS Certified Security – Specialty — Question 79

A Security Engineer must implement mutually authenticated TLS connections between containers that communicate inside a VPC.
Which solution would be MOST secure and easy to maintain?

Answer options

• A. Use AWS Certificate Manager to generate certificates from a public certificate authority and deploy them to all the containers.
• B. Create a self-signed certificate in one container and use AWS Secrets Manager to distribute the certificate to the other containers to establish trust.
• C. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then create the private keys in the containers and sign them using the ACM PCA API.
• D. Use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a subordinate certificate authority, then use AWS Certificate Manager to generate the private certificates and deploy them to all the containers.

Correct answer: D

Explanation

Option D is correct because it allows for the creation and management of private certificates in a secure manner, leveraging AWS's tools for simplicity and maintenance. Option A is less secure as it relies on a public certificate authority, while Option B does not provide the same level of security and trust as using a private CA. Option C adds unnecessary complexity by managing private keys directly in containers instead of using ACM for certificate management.