A popular online banking website is configured on an EC2 instance within VPC.
Due to the large number of transactions recently & the requirement of secure connections, IT team is planning to terminate all secure HTTPS connections from the client on ELB instead of EC2 instance.
IT team is seeking your help as an AWS expert to configure security policies for ELB which will meet the latest security guidelines & provide an enhanced user experience while performing banking transactions.
Which of the following security options can be designed with ELB to have the most secure connection between the client & ELB?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - B.
During SSL connection negotiations between client & ELB, a list of ciphers & protocols supported by each are presented.
When ELB has Server OrderPreference enabled, it will make sure connections are negotiated based upon the preference of ciphers at the ELB end & not negotiated based upon ciphers at the client end which may be not be recommended.
Options A & D are incorrect as SSL protocol SSL 2.0 is not recommended.
Option C is incorrect as If ELB has Server Order Preference is disabled, order of ciphers at the client end is used for negotiating connections between client & ELB.For more information on Security Policy withAWS ELB, refer to the following URL.
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.htmlOption A is incorrect because SSL 2.0 is an outdated and insecure protocol that is not recommended for use. Also, disabling the Server Order Preference can lead to security vulnerabilities in the configuration.
Option B is incorrect because while enabling Server Order Preference can improve the overall security of the SSL/TLS connection, using TLS 1.2 is not the best choice as it is not the latest version available.
Option D is incorrect because SSL 2.0 is an outdated and insecure protocol that should not be used for secure connections.
The correct answer is option C, which involves configuring the ELB with a custom Security Policy having Server Order Preference disabled and SSL protocol as TLS 1.2. TLS 1.2 is the latest version of the TLS protocol and provides strong security features such as improved cipher suites and key exchange algorithms. Disabling the Server Order Preference can also improve the overall security of the SSL/TLS connection.
In summary, the IT team should configure ELB with a custom security policy that has Server Order Preference disabled and SSL protocol set to TLS 1.2. This will ensure a secure and enhanced user experience while performing banking transactions.