AWS Certified Solutions Architect – Associate (SAA-C02) — Question 739

A company has a three-tier application on AWS that ingests sensor data from its users' devices. The traffic flows through a Network Load Balancer (NLB), then to
Amazon EC2 instances for the web tier, and finally to EC2 instances for the application tier. The application tier makes calls to a database.
What should a solutions architect do to improve the security of the data in transit?

Answer options

• A. Configure a TLS listener. Deploy the server certificate on the NLB.
• B. Configure AWS Shield Advanced. Enable AWS WAF on the NLB.
• C. Change the load balancer to an Application Load Balancer (ALB). Enable AWS WAF on the ALB.
• D. Encrypt the Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instances by using AWS Key Management Service (AWS KMS).

Correct answer: A

Explanation

Configuring a TLS listener on the Network Load Balancer (NLB) allows for SSL/TLS termination, which encrypts and secures the data in transit from the client to the load balancer. AWS WAF and AWS Shield Advanced provide application-layer filtering and DDoS protection but do not encrypt data in transit. Encrypting Amazon EBS volumes protects data at rest, which does not address the requirement to secure data while it is moving through the network.