Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C01 Topic 1 Question 54 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 54
Topic #: 1
[All SCS-C01 Questions]

An ecommerce company is developing new architecture for an application release. The company needs to implement TLS for incoming traffic to the application. Traffic for the application will originate from the internet TLS does not have to be implemented in an end-to-end configuration because the company is concerned about impacts on performance. The incoming traffic types will be HTTP and HTTPS The application uses ports 80 and 443.

What should a security engineer do to meet these requirements?

Show Suggested Answer Hide Answer
Suggested Answer: A

An Application Load Balancer (ALB) is a type of load balancer that operates at the application layer (layer 7) of the OSI model. It can distribute incoming traffic based on the content of the request, such as the host header, path, or query parameters. An ALB can also terminate TLS connections and decrypt requests from clients before sending them to the targets.

To implement TLS for incoming traffic to the application, the following steps are required:

Create a public ALB in a public subnet and register the EC2 instances as targets in a target group.

Create two listeners for the ALB, one on port 80 for HTTP traffic and one on port 443 for HTTPS traffic.

Create a rule for the listener on port 80 to redirect HTTP requests to HTTPS using the same host, path, and query parameters.

Provision a public TLS certificate in AWS Certificate Manager (ACM) for the domain name of the application. ACM is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources.

Attach the certificate to the listener on port 443 and configure the security policy to negotiate secure connections between clients and the ALB.

Configure the security groups for the ALB and the EC2 instances to allow inbound traffic on ports 80 and 443 from the internet and outbound traffic on any port to the EC2 instances.

This solution will meet the requirements of implementing TLS for incoming traffic without impacting performance or requiring end-to-end encryption. The ALB will handle the TLS termination and decryption, while forwarding unencrypted requests to the EC2 instances.

Verified Reference:

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html


Contribute your Thoughts:

Wilbert
6 months ago
I see your point, Kati. Option D does seem more straightforward. It's important to make sure we are following best practices for security in this scenario.
upvoted 0 times
...
Kati
6 months ago
Interesting perspectives, Billy. I also think option D makes more sense. It's important to keep the traffic secure with TLS, and only having a listener on port 443 simplifies things.
upvoted 0 times
...
Billy
6 months ago
I see your point, Laquita. But I think option D is better. We just need a public Network Load Balancer with a listener on port 443, and forward traffic to the target group with TLS protocol.
upvoted 0 times
...
Laquita
7 months ago
I disagree with that, Wilbert. I believe the correct answer is C. We should use a public Network Load Balancer with listeners on port 80 and 443, and set the protocol for the listener on port 443 to TLS.
upvoted 0 times
...
Wilbert
7 months ago
I think the answer is A. We need to create a public Application Load Balancer with listeners on port 80 and 443, and attach the TLS certificate to the listener on port 443.
upvoted 0 times
...
Dominic
8 months ago
I don't think option B is correct, because you wouldn't want to attach the TLS certificate to the HTTP listener on port 80. That would just encrypt the traffic between the client and the load balancer, but not protect it all the way to the application.
upvoted 0 times
...
Toi
8 months ago
I'm leaning towards option A. Creating an Application Load Balancer with one listener on port 80 and one on port 443, and then forwarding the traffic from port 80 to the HTTPS listener on 443 seems like the most straightforward approach. Plus, we can use the AWS Certificate Manager to provision the TLS certificate and attach it to the HTTPS listener.
upvoted 0 times
Stefany
7 months ago
By following option A, the security engineer can successfully implement TLS for incoming HTTP and HTTPS traffic without impacting performance.
upvoted 0 times
...
Justine
7 months ago
The steps outlined in option A provide a clear path to meeting the company's requirements for implementing TLS effectively.
upvoted 0 times
...
Jani
8 months ago
Definitely. It's always a good practice to implement TLS for incoming internet traffic to secure the application.
upvoted 0 times
...
Evangelina
8 months ago
It's important to ensure security while maintaining performance, which is why option A is a solid solution for this scenario.
upvoted 0 times
...
Tawna
8 months ago
Using AWS Certificate Manager to provision the TLS certificate for the HTTPS listener on port 443 simplifies the process.
upvoted 0 times
...
Harrison
8 months ago
I agree. Setting up an Application Load Balancer with listeners on ports 80 and 443, and forwarding traffic from 80 to 443 is a smart move.
upvoted 0 times
...
Caprice
8 months ago
Option A seems like the best choice. It covers all the necessary steps for implementing TLS for incoming traffic.
upvoted 0 times
...
...
Freeman
8 months ago
Haha, you know, I'm just imagining the exam proctor asking us, 'So, which one of you forgot to attach the TLS certificate to the right listener?' That would be a classic mistake to make on this question.
upvoted 0 times
...
Gail
8 months ago
Good point. And option C and D, using a Network Load Balancer, don't seem quite right either. They're talking about HTTP and HTTPS traffic, so an Application Load Balancer seems more appropriate.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77