Exam AWS Certified Security - Specialty topic 1 question 403 discussion

A. SSL/TLS termination on ALB → Encryption in transit C. A Network Load Balancer only supports transport layer (layer 4) TCP listeners. HTTP and HTTPS traffic can be routed to your environment over TCP. To establish secure HTTPS connections between web clients and your environment, install a self-signed certificate on the environment's instances, and configure the instances to listen on the appropriate port (typically 443) and terminate HTTPS connections. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-nlb.html

AC are correct

A and C NLB with TLS listeners, not SSL - https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html

CE C. Replace the existing ALB with a Network Load Balancer (NLB). On the NLB, configure TCP passthrough to receive client connections. Terminate SSL from the NLB on the EC2 instances. This solution replaces the existing ALB with an NLB and uses TCP passthrough to receive client connections. SSL is terminated on the EC2 instances, ensuring end-to-end encryption of PII data in transit at all times. E. Configure a Network Load Balancer (NLB) with a TLS listener to receive client connections. Configure TCP passthrough on the existing ALB so that the NLB can reach the EC2 instances. Terminate SSL from the ALB on the EC2 instances. This solution configures an NLB with a TLS listener to receive client connections. TCP passthrough is configured on the existing ALB so that the NLB can reach the EC2 instances. SSL is terminated on the ALB, ensuring end-to-end encryption of PII data in transit at all times.

I vote for B,E. A doesn't add up to me. The encryption is not E2E as it is terminated and then was re-encrypted. This, by definition, would not be E2EE. E makes more sense to me: "Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it." Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html

In Option B, the NLB is configured with an SSL listener, which allows the NLB to encrypt the data in transit between the client and the NLB. The NLB is also configured with TCP passthrough, which allows it to pass the encrypted data to the EC2 instances, and the HTTPS traffic is terminated from the NLB on the EC2 instances, ensuring that the data is encrypted in transit between the NLB and the EC2 instances as well. In Option C, the NLB is only configured with TCP passthrough, which does not encrypt the data in transit. As a result, this option does not meet the company's security policy requirements to encrypt data in transit at all times to avoid the possibility of exposing any personally identifiable information (PII) in plaintext.

Nitpicking, but maybe they intend you to pick up on this?... B states: "SSL listener and TCP passthrough," where the wording should be "TCP Listener and SSL Passthrough"(??)

AD To encrypt the data in transit at all times, the security engineer could configure the existing ALB to terminate SSL from clients and use HTTPS to connect to the EC2 instances. This would encrypt the data in transit between clients and the ALB, and between the ALB and the EC2 instances.

AWS doc says; You can choose the type of load balancer that your environment uses only during environment creation. You can change settings to manage the behavior of your running environment's load balancer, but you can't change its type. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-nlb.html#:~:text=You%20can%20choose%20the%20type%20of%20load%20balancer%20that%20your%20environment%20uses%20only%20during%20environment%20creation.%20You%20can%20change%20settings%20to%20manage%20the%20behavior%20of%20your%20running%20environment%27s%20load%20balancer%2C%20but%20you%20can%27t%20change%20its%20type.

Basic understanding of ALB and NLB

agree with A, C . Nice question

A Terminate ssl on alb and configure Target group with https C or Replace with a NLB use listener 443 for passthrough the ssl terminate on the instances https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html