AWS Certified Solutions Architect – Professional — Question 430

A company is deploying a public-facing global application on AWS using Amazon CloudFront. The application communicates with an external system. A solutions architect needs to ensure the data is secured during end-to-end transit and at rest.
Which combination of steps will satisfy these requirements? (Choose three.)

Answer options

• A. Create a public certificate for the required domain in AWS Certificate Manager and deploy it to CloudFront, an Application Load Balancer, and Amazon EC2 instances.
• B. Acquire a public certificate from a third-party vendor and deploy it to CloudFront, an Application Load Balancer, and Amazon EC2 instances.
• C. Provision Amazon EBS encrypted volumes using AWS KMS and ensure explicit encryption of data when writing to Amazon EBS.
• D. Provision Amazon EBS encrypted volumes using AWS KMS.
• E. Use SSL or encrypt data while communicating with the external system using a VPN.
• F. Communicate with the external system using plaintext and use the VPN to encrypt the data in transit.

Correct answer: A, C, E

Explanation

To secure data in transit end-to-end, a public certificate from AWS Certificate Manager (ACM) must be deployed across CloudFront, the Application Load Balancer, and the backend EC2 instances (Option A). For securing data at rest, utilizing AWS KMS to provision encrypted Amazon EBS volumes alongside explicit application-level encryption ensures comprehensive protection (Option C). Finally, securing communication with the external system requires using SSL or encrypting the data payload itself over a VPN connection to guarantee secure transit outside the AWS network (Option E).