AWS Certified Solutions Architect – Associate (SAA-C03) — Question 374

A company has a three-tier application on AWS that ingests sensor data from its users’ devices. The traffic flows through a Network Load Balancer (NLB), then to Amazon EC2 instances for the web tier, and finally to EC2 instances for the application tier. The application tier makes calls to a database.

What should a solutions architect do to improve the security of the data in transit?

Answer options

• A. Configure a TLS listener. Deploy the server certificate on the NLB.
• B. Configure AWS Shield Advanced. Enable AWS WAF on the NLB.
• C. Change the load balancer to an Application Load Balancer (ALB). Enable AWS WAF on the ALB.
• D. Encrypt the Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instances by using AWS Key Management Service (AWS KMS).

Correct answer: A

Explanation

To secure data in transit, configuring a TLS listener on the NLB with a server certificate allows for secure encryption (HTTPS/TLS) between the clients and the load balancer. AWS WAF cannot be directly integrated with an NLB, making option B incorrect, and while changing to an ALB (option C) is possible, merely enabling WAF does not configure TLS encryption in transit. EBS encryption (option D) secures data at rest on the storage volumes rather than securing data while it is in transit across the network.