AWS Certified Solutions Architect – Associate (SAA-C02) — Question 349

A company has a three-tier environment on AWS that ingests sensor data from its users' devices. The traffic flows through a Network Load Balancer (NLB) then to
Amazon EC2 instances for the web tier, and finally toEC2 instances for the application tier that makes database calls.
What should a solutions architect do to improve the security of data in transit to the web tier?

Answer options

• A. Configure a TLS listener and add the server certificate on the NLB.
• B. Configure AWS Shield Advanced and enable AWS WAF on the NLB.
• C. Change the load balancer to an Application Load Balancer and attach AWS WAF to it.
• D. Encrypt the Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instances using AWS Key Management Service (AWS KMS).

Correct answer: A

Explanation

To secure data in transit to the web tier via a Network Load Balancer (NLB), configuring a TLS listener on the NLB with a server certificate is the correct approach. AWS WAF cannot be directly associated with an NLB, and replacing it with an ALB or using AWS WAF does not inherently encrypt the traffic in transit. Encrypting EBS volumes secures data at rest, which does not address the requirement of securing data in transit.