ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 368 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 368
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A DevOps team is planning to deploy a containerized application on Amazon Elastic Container Service (Amazon ECS). The team will use an Application Load Balancer (ALB) to distribute the incoming traffic for the ECS application. A security engineer needs to terminate the TLS traffic at the ALB to ensure security of data in transit.

Which solutions can the security engineer use to create a certificate and deploy the certificate at the ALB to meet these requirements? (Choose two.)

  • A. Use TLS tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM).
    Specify the certificate for the TLS listener on the ALB.
  • B. Use AWS Certificate Manager (ACM) to request a certificate. Specify the certificate fort the TLS listener on the ALB.
  • C. Use AWS Key Management Service (AWS KMS) tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
  • D. Configure automatic TLS support in the ECS cluster. Configure the ALB to pass the TLS connection to the containers in the cluster.
  • E. Generate a certificate while creating the ECS cluster. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by Isaias at Nov. 24, 2022, 11:17 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
tainh
Highly Voted 2 years, 6 months ago
Selected Answer: AB
A, B are correct We recommend that you create certificates for your load balancer using AWS Certificate Manager (ACM). ACM supports RSA certificates with 2048, 3072, and 4096-bit key lengths, and all ECDSA certificates. ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. For more information, see the AWS Certificate Manager User Guide. Alternatively, you can use SSL/TLS tools to create a certificate signing request (CSR), then get the CSR signed by a CA to produce a certificate, then import the certificate into ACM or upload the certificate to AWS Identity and Access Management (IAM). https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
upvoted 5 times
...
Raphaello
Most Recent 1 year, 5 months ago
AB AWS KMS cannot be used to issue CSR. However, ALB is a L7 LB, so there's no "TLS listener" on it. TLS listener is used with NLB (L4 LB) for TLS termination on NLB; but still B is better option than the rest.
upvoted 1 times
...
vherman
1 year, 11 months ago
Selected Answer: B
there is no such thing as TLS listener on the ALB there is HTTPS listener
upvoted 1 times
...
Toptip
1 year, 12 months ago
Selected Answer: AB
A and B - use a tool (Not ACM) to create CSR then sign it and import to ACM or Generate a Certificate directly with ACM
upvoted 1 times
...
ITGURU51
2 years ago
AB are obvious choices here. We can either create a certificate signing request or use AWS Certificate Manager to generate the certificate for the ELB. (Elastic Load Balancer) The AWS best practice is to use ACM to create or import certificates for the load balancer. To deploy a certificate on the load balancer the cert must be in the same region as the ELB.
upvoted 2 times
...
Smartphone
2 years, 3 months ago
This question is really tricky. The question answers what are the methods to "create a certificate and deploy the certificate at the ALB"... So the options A and B are two solutions to create certificate and deploy it at the ALB Answers: A & B
upvoted 1 times
...
D2
2 years, 6 months ago
Selected Answer: AB
A and B are two separate solutions (not a combination) to achieve the same. There is no requirement to encrypt from ALB to containers running in ECS
upvoted 1 times
...
AdamWest
2 years, 6 months ago
Selected Answer: BD
BD - Use ACM for Encryption in transit. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
upvoted 1 times
Isaias
2 years, 6 months ago
It´s a tricky question, because the ALB cannot passthrough the SSL connection just the NLB can do it, or with the ALB create the Target groups with https protocol to keep the security data intransit
upvoted 1 times
...
...
Isaias
2 years, 6 months ago
Selected Answer: AB
AB https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel