AWS Certified Solutions Architect – Professional — Question 438

You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution must be resilient.
Which of the following options would you consider for configuring the web server infrastructure? (Choose two.)

Answer options

• A. Configure ELB with TCP listeners on TCP/443. And place the Web servers behind it.
• B. Configure your Web servers with EIPs. Place the Web servers in a Route53 Record Set and configure health checks against all Web servers.
• C. Configure ELB with HTTPS listeners, and place the Web servers behind it.
• D. Configure your web servers as the origins for a CloudFront distribution. Use custom SSL certificates on your CloudFront distribution.

Correct answer: A, B

Explanation

To perform client certificate authentication, the TLS session must be terminated directly on the web servers because standard ELB HTTPS listeners and CloudFront terminate the TLS connection and do not pass the client certificates to the backend. Using an ELB with TCP listeners allows the SSL/TLS traffic to pass through uninterrupted to the web servers for client authentication. Alternatively, routing traffic directly to the web servers via Route53 with EIPs and health checks also ensures the TLS handshake is completed directly on the instances while maintaining service resiliency.