Exam AWS Certified Solutions Architect - Professional topic 1 question 696 discussion

Correct Options: BDE C is asking for explicit encryption on top of EBS encryption with KMS, I believe it's not needed.

BDE for me, we cannot use "public" certificate for ec2 from amazon certificate manager, so A cannot be the answer. and for C i agree with SD13 i think explicit encryption it's not needed

vote BDE

IRL we use self-signed cert between LB and the ec2 (or private from ACM). The way the answer is written A cannot be true.

B. Acquire a public certificate from a third-party vendor and deploy it to CloudFront, an Application Load Balancer, and Amazon EC2 instances. D. Provision Amazon EBS encrypted volumes using AWS KMS. E. Use SSL or encrypt data while communicating with the external system using a VPN.

A is wrong because public ACM certificates can be used only with specific AWS services. EC2 is not included https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html C is asking for explicit encryption on top of EBS encryption with KMS, I believe it's not needed.

B,D,E --- Q: With which AWS services can I use ACM certificates? You can use public and private ACM certificates with the following AWS services: • Elastic Load Balancing – Refer to the Elastic Load Balancing documentation • Amazon CloudFront – Refer to the CloudFront documentation • Amazon API Gateway – Refer to the API Gateway documentation • AWS Elastic Beanstalk – Refer to the AWS Elastic Beanstalk documentation • AWS CloudFormation – Support is currently limited to public certificates that use email validation. Refer to the AWS CloudFormation documentation In addition, you can use private certificates issued with ACM Private CA with EC2 instances, containers, IoT devices, and on your own servers. https://aws.amazon.com/certificate-manager/faqs/?nc1=h_ls

It's B D E

BBB DDD EEE --- https://aws.amazon.com/certificate-manager/faqs/

BDE is correct.

I'll go with B,D,E Q: Can I use certificates on Amazon EC2 instances or on my own servers? You can use private certificates issued with ACM Private CA with EC2 instances, containers, and on your own servers. At this time, public ACM certificates can be used only with specific AWS services. See With which AWS services can I use ACM certificates? https://aws.amazon.com/certificate-manager/faqs/?nc1=h_ls

BDE For those answering ADE: HTTPS between viewers and CloudFront – You can use a certificate that was issued by a trusted certificate authority (CA) such as Comodo, DigiCert, or Symantec, or you can use a certificate provided by AWS Certificate Manager (ACM). HTTPS between CloudFront and a custom origin – If the origin is not an Elastic Load Balancing (ELB) load balancer, such as Amazon EC2, the certificate must be issued by a trusted CA such as Comodo, DigiCert, or Symantec. If your origin is an ELB load balancer, you can also use a certificate provided by ACM. For SSL Between ELB and EC2: Amazon-issued certificates can’t be installed on an EC2 instance. To enable end-to-end encryption, you must use a third-party SSL certificate. Install the third-party certificate on an EC2 instance. Then, associate the third-party certificate with a load balancer by importing it into AWS Certificate Manager (ACM) (https://aws.amazon.com/premiumsupport/knowledge-center/acm-ssl-certificate-ec2-elb/) The requirement of 3rd party cert between ELB and EC2 makes Option A is invalid.

BDE are my answers!!

BDE Explanation for B - "You can't export an Amazon Issued ACM public certificate for use on an EC2 instance because ACM manages the private key." https://aws.amazon.com/premiumsupport/knowledge-center/configure-acm-certificates-ec2/

BED for sure. A is incorrect, public cert cannot be used in EC2.

You generate the certificate for CF. Answer is ADE.

it's A,D,E