A company has a public application. The application uses an Application Load Balancer (ALB) that has a target group of Amazon EC2 instances.
The company wants to protect the application from security issues in web requests. The traffic to the application must have end-to-end encryption.
Which solution will meet these requirements?
To meet the requirements of protecting the application from security issues in web requests and ensuring end-to-end encryption, configuring TLS connections to terminate at the ALB using a public certificate and configuring AWS Certificate Manager (ACM) certificates for the communication between the ALB and the EC2 instances is a suitable solution. Associating an AWS WAF web ACL with the ALB helps protect the application from security threats. This approach leverages the built-in capabilities of the ALB and ACM for managing certificates and simplifies the overall management without the need for third-party certificates. Therefore, it ensures secure and efficient handling of web traffic.
ACM certificates are supported by the following services: • Elastic Load Balancing To serve secure content over SSL/TLS, load balancers require that SSL/TLS certificates be installed on either the load balancer or the back-end Amazon EC2 instance. ACM is integrated with Elastic Load Balancing to deploy ACM certificates on the load balancer. • Amazon CloudFront To use an ACM certificate with CloudFront, make sure you request (or import) the certificate in the US East Region (us-east-1). • Amazon API Gateway With the proliferation of mobile devices and growth of the Internet of Things (IoT), it has become increasingly common to create APIs that can be used to access data and interact with back-end systems on AWS. • AWS Nitro Enclaves EC2 instances connected to Nitro Enclaves support ACM certificates. You cannot associate ACM certificates with an EC2 instance that is not connected to a Nitro Enclave.
WAF for security and ACM managed certificate for TLS encryptions. B looks fine to me
The debate is between B and D ...(because the question is actually saying that ALB is already used -> NLB is excluded from the beginning) Even if ACM is more easier to use ( i mean you don't need to go to a third party provider) when reading B answer it is saying : "Configure AWS Certificate Manager (ACM) certificates for the communication between the ALB and the EC2 instances." You cannot use ACM for communication between ALB and EC2. Actually in the target group you can specify protocol and port and the instances associated but there is no field where to specify which certificate to use. Also in (B) it is not saying to configure the certificates in EC2 which is wrong as well. The ACM is used for ALB and in the listener part you have the default certificate and the SNIs under certificates tab. Therefore D is the correct answer.
B is correct. D is wrong, because this option involves using a third-party certificate, which adds complexity without providing any clear benefits over using ACM directly for certificate management. Terminating TLS at the ALB and applying the WAF ACL at the ALB level is correct, but the ALB's integration with ACM simplifies the process.