SCS-C02 Question #50: Real Exam Question with Answer & Explanation

Question

A company is developing an ecommerce application. The application uses Amazon EC2 instances and an Amazon RDS MySQL database. For compliance reasons, data must be secured in transit and at rest. The company needs a solution that minimizes operational overhead and minimizes cost. Which solution meets these requirements?

Options

• AUse TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer.
• BUse TLS certificates from a third-party vendor with an Application Load Balancer. Install the same
• CUse AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS
• DUse Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances.

Explanation

ACM TLS certificates on an Application Load Balancer secure data in transit, while enabling RDS encryption secures data at rest, both with minimal operational overhead.

Common mistakes.

• B. Using third-party TLS certificates requires manual procurement, installation, and renewal across all EC2 instances, which significantly increases operational overhead compared to ACM-managed certificates.
• C. AWS CloudHSM provides dedicated hardware security modules for strict compliance requirements but carries substantial cost (approximately $1.60/hour per HSM) and operational complexity far exceeding what is necessary for standard TLS termination.
• D. Sending HTTP (unencrypted) connections from CloudFront to the origin EC2 instances fails to secure data in transit between the CDN and the application tier, violating the requirement that data must be secured in transit end-to-end.

Concept tested. Encryption in transit with ACM and ALB, RDS encryption at rest

Reference. https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html

No community discussion yet for this question.