AWS Certified Solutions Architect – Associate (SAA-C02) — Question 550

A company has a dynamic web application hosted on two Amazon EC2 instances. The company has its own SSL certificate, which is on each instance to perform
SSL termination.
There has been an increase in traffic recently, and the operations team determined that SSL encryption and decryption is causing the compute capacity of the web servers to reach their maximum limit.
What should a solutions architect do to increase the application's performance?

Answer options

• A. Create a new SSL certificate using AWS Certificate Manager (ACM). Install the ACM certificate on each instance.
• B. Create an Amazon S3 bucket. Migrate the SSL certificate to the S3 bucket. Configure the EC2 instances to reference the bucket for SSL termination.
• C. Create another EC2 instance as a proxy server. Migrate the SSL certificate to the new instance and configure it to direct connections to the existing EC2 instances.
• D. Import the SSL certificate into AWS Certificate Manager (ACM). Create an Application Load Balancer with an HTTPS listener that uses the SSL certificate from ACM.

Correct answer: D

Explanation

Offloading SSL termination to an Application Load Balancer (ALB) frees up CPU resources on the backend Amazon EC2 instances, resolving the performance bottleneck caused by encryption and decryption overhead. AWS Certificate Manager (ACM) allows the import of third-party SSL certificates, which can then be easily associated with the ALB's HTTPS listener. Other options fail because they either keep the cryptographic workload on EC2 instances or suggest invalid configurations, such as installing ACM-managed certificates directly on EC2 instances.