ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 36 discussion

Exam question from Amazon's ANS-C00
Question #: 36
Topic #: 1
[All ANS-C00 Questions]

Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses.
Which step should you take to fix this problem?

  • A. Generate new SSL certificates for all web servers and replace current certificates.
  • B. Change the security policy on the ELB to disable vulnerable protocols and ciphers.
  • C. Generate new SSL certificates and use ELB to front-end the encrypted traffic for all web servers.
  • D. Leverage your current configuration management system to update SSL policy on all web servers.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by route53 at July 4, 2019, 9:40 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
route53
Highly Voted 3 years, 8 months ago
If the SSL offload happens at ELB, correct answer is B - vulnerable ciphers and protocols can be removed on the security policy
upvoted 23 times
dpvnme
3 years, 8 months ago
Nevermind, the question says HTTPS listener, so yeah, B should be the answer
upvoted 8 times
...
dpvnme
3 years, 8 months ago
Yes but the question does not state that the SSL is offload at ELB.
upvoted 3 times
...
jason2009
3 years, 7 months ago
That's the problem. The question is very badly designed. First, you cannot remove ciphers nor protocols from the security policy. You can only change security policies but not define them yourselves. Secondly, it does not say what exactly is the vulnerabilities are so that's not clear whether you can choose a new security policy in ELB or you will have to bring your own policies because AWS does not support the ciphers and protocols your company considered safe. Its very unclear and the question is seriously trying to confuse you.
upvoted 3 times
...
...
PavanKushwah123
Most Recent 2 years, 5 months ago
Correct Answer D
upvoted 1 times
...
Ramyras
2 years, 7 months ago
HTTPS listener can be with SSL and without. As there is not stating that SSL cert is installed on listener we can't assume it is. So D can be reasonable answer
upvoted 1 times
...
Marty2021
2 years, 11 months ago
Selected Answer: B
B - Agree with route53
upvoted 1 times
...
hecong
2 years, 11 months ago
Selected Answer: B
B Elastic Load Balancing uses a TLS negotiation configuration, known as a security policy, to negotiate TLS connections between a client and the load balancer. A security policy is a combination of protocols and ciphers https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/network/create-tls-listener.html
upvoted 1 times
...
AzureDP900
3 years, 4 months ago
I will go with B
upvoted 1 times
...
Cyril_the_Squirl
3 years, 7 months ago
This is a question about ELB, specifically the available listener configurations.. B is Correct. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
upvoted 1 times
...
Huy
3 years, 7 months ago
The key words here is "ELB with an HTTPS listener". This means SSL/TLS offloaded in the ELB. so only B match. Others are for web servers
upvoted 3 times
...
jason2009
3 years, 7 months ago
It's a very frustrating question. It all depends on a condition that is unknown in the context of the question. What exactly are the vulnerabilities? Fact - ELBs does not allow you to define security policies. You have to choose the pre-defined security policies. So - D is ALWAYS right. Regardless of what vulnerabilities you have, you always have the option to define your own policies and deploy them into the web servers. B can be OK, but not guaranteed because if the ciphers and protocols deemed unsafe is there in all AWS pre-defined security policies you simply cannot remediate the problem through B.
upvoted 1 times
student2020
3 years, 7 months ago
The question does not mention ALB. ELB could also refer to Classic ELB whish does allow you to define security policies. These questions are designed to test your full understanding of the entire AWS family of products and features. ELB refers to ALB, NLB and Classic ELB.
upvoted 3 times
...
...
Kentik
3 years, 7 months ago
I would go for B as well.
upvoted 2 times
...
andyo
3 years, 8 months ago
Correction.. .Ans B. "exploitable vulnerability .... in the encryption protocol and cipher" so just change the policy is correct. like from SSL to TLS
upvoted 2 times
...
andyo
3 years, 8 months ago
why not C... do you not create new Certs and then remove old " ...you must first create a new certificate by following the same steps that you used when you created the current certificate. Then, you can replace the certificate. "
upvoted 1 times
...
backfringe
3 years, 8 months ago
It's B. security policy on ELB needs to be changed
upvoted 3 times
...
kvirk
3 years, 8 months ago
B is correct
upvoted 2 times
...
BillyC
3 years, 8 months ago
B ... !
upvoted 4 times
...
piemar
3 years, 8 months ago
D, because you want to use configuration management such as cloudformation to update ciphers and not doing it manually, its not scalable
upvoted 2 times
network_zeal
3 years, 8 months ago
agree , but option D mentions web servers.. it is configuration of LB that needs change. Hence best answer is B
upvoted 4 times
piemar
3 years, 8 months ago
Yes you are right, thanks, B is the correct answer
upvoted 2 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel