SOA-C02 Question #364: Real Exam Question with Answer & Explanation

Question

A company runs a retail website on multiple Amazon EC2 instances behind an Application Load Balancer (ALB). The company must secure traffic to the website over an HTTPS connection. Which combination of actions should a SysOps administrator take to meet these requirements? (Choose two.)

Options

• AAttach the certificate to each EC2 instance.
• BAttach the certificate to the ALB.
• CCreate a private certificate in AWS Certificate Manager (ACM).
• DCreate a public certificate in AWS Certificate Manager (ACM).
• EExport the certificate, and attach it to the website.

Explanation

To enable HTTPS on a public-facing retail website, you need a public certificate (D) - because visitors' browsers must trust it via a public CA, and a private certificate would cause browser SSL warnings. That certificate should be attached to the ALB (B), which terminates SSL/TLS before forwarding requests to the EC2 instances, centralizing certificate management in one place.

Why the distractors are wrong:

• A - Attaching the certificate to each EC2 instance is unnecessary and unscalable; the ALB handles TLS termination, so backend instances don't need the cert.
• C - A private certificate is for internal services (e.g., internal APIs, private networks) where a private CA is trusted; public users' browsers will reject it.
• E - ACM certificates cannot be exported for use outside AWS services; they are managed and deployed directly to supported services like ALBs.

Memory tip: Think "Public website = Public cert on the Load Balancer." The ALB is the front door - secure the front door, not every room inside. ACM + ALB is the AWS-native pattern; private certs are for private networks only.

No community discussion yet for this question.