AWS Certified Solutions Architect – Professional (SAP-C02) — Question 47

A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances. One of the security requirements is to enable end-to-end encryption in transit between the client and the web server.

Which solution will meet this requirement?

Answer options

• A. Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Export the SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
• B. Associate the EC2 instances with a target group. Provision an SSL certificate using AWS Certificate Manager (ACM). Create an Amazon CloudFront distribution and configure it to use the SSL certificate. Set CloudFront to use the target group as the origin server.
• C. Place the EC2 instances behind an Application Load Balancer (ALB) Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Provision a third-party SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
• D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.

Correct answer: C

Explanation

The correct answer, C, ensures that end-to-end encryption is maintained by using an SSL certificate from AWS Certificate Manager (ACM) on the Application Load Balancer (ALB) and a third-party certificate on the EC2 instances. Option A is incorrect because it suggests exporting the ACM certificate to the instances, which is unnecessary and complicates the deployment. Option B does not meet the requirement since CloudFront does not establish end-to-end encryption with the target group. Option D uses a Network Load Balancer, which is not designed to handle SSL termination in the same way as an ALB.