Exam AWS Certified Security - Specialty topic 1 question 197 discussion

B . https://www.thesslstore.com/blog/perfect-forward-secrecy-explained/#:~:text=Perfect%20forward%20secrecy%20is%20a,freshly%20generated%20frequently%20and%20automatically.

I would lean towards B as the answer as it indicates that only ciphers that support PFS are used which matches requirements listed in the question. Option C includes support for non-PFS ciphers for backward compatibility browsers that do not support ECDHE ciphers https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/classic/elb-security-policy-table.html

B is better than C, cause TLS-1-2-2017-01 includes other ciphers beside ECDHE, like AES256-SHA256 (which are not PFS) So to strictly allow only PFS ciphers, use custom security policy with only ECDHE ciphers.

... old answer is B new ONe: C [if ELBSecurityPolicy-TLS13-1-2-2021-06 and above] ... AWS provides several predefined security policies for HTTPS listeners that support Perfect Forward Secrecy (PFS). Here are some of them: ELBSecurityPolicy-FS-1-2-2019-08 ELBSecurityPolicy-FS-1-2-Res-2020-10 ELBSecurityPolicy-TLS13-1-2-2021-06 ELBSecurityPolicy-TLS13-1-3-2021-06 ELBSecurityPolicy-TLS13-1-2-Res-2021-06

Predefined are preferred. No reason to discard C.

Since privacy protection is becoming increasingly important, we have added support for Perfect Forward Secrecy. This security feature uses a derived session key to provide additional safeguards against the eavesdropping of encrypted data. This prevents the decoding of captured data, even if the secret long-term key is compromised. B

D...using an HTTPS listener alone would not ensure that past and current TLS traffic to the Classic Load Balancer stays secure in the event of a private key leak. In this case, option D, which suggests using a TCP listener with a custom security policy that allows only perfect forward secrecy (PFS) cipher suites, would be the better option to ensure the confidentiality of past and current TLS traffic. PFS ensures that each session uses a unique session key that is not derived from the long-term private key. Therefore, even if an attacker gains access to the private key, they will not be able to decrypt past traffic.

B is good enough

As per documention, I would lean towards B .... but who is still using CLB .... https://aws.amazon.com/blogs/aws/elastic-load-balancing-perfect-forward-secrecy-and-other-security-enhancements/ Perfect forward secrecy is a feature of SSL/TLS that prevents an attacker from being able to decrypt the data from historical or future sessions if they’re able to steal the private keys used in a particular session. This is achieved by using unique session keys that are freshly generated frequently and automatically.

Answer is B. You need to choose a cipher suite that supports only PFS to prevent private key leakage and disable the ciphers that don't. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html. The key is in the first paragraph of the support documentation is "Alternatively, you can create a custom security policy."

ELBSecurityPolicy-TLS-1-2-2017-01 only supports tls 1.2

for me the answer is C . first aws always leans towards using aws managed and predefined services. second ECDHE ( E stands for ephemeral hint hint for PFS) supports PFS third the predefined policy 1-2-2017-1 supports ECDHE in the cipher suite.

Answer is C You can choose one of the predefined security policies for your HTTPS/SSL listeners. We recommend the default predefined security policy, ELBSecurityPolicy-2016-08, for compatibility. You can use one of the ELBSecurityPolicy-TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions. Predefined security policies The following are the predefined security policies for Classic Load Balancers. To describe a predefined policy, use the describe-load-balancer-policies command. ELBSecurityPolicy-2016-08 ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/classic/elb-security-policy-table.html

B is the answer https://aws.amazon.com/blogs/aws/elastic-load-balancing-perfect-forward-secrecy-and-other-security-enhancements/

Answer is C or B; I am confused..

Answer is D: "custom security policy" has to use TCP

C: https://docs.amazonaws.cn/en_us/elasticloadbalancing/latest/classic/elb-security-policy-table.html