Designing an Application with Encryption for Protected Health Information | AWS Exam Preparation

AWS Certified DevOps Engineer - Professional Exam | DOP-C01

Prev Question Next Question

Question

You are designing an application that contains protected health information.

Security and compliance requirements for your application mandate that all protected health information in the application use encryption at rest and in transit.

The application uses a three-tier architecture where data flows through the load balancer and is stored on Amazon EBS volumes for processing and the results are stored in Amazon S3 using the AWS SDK.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer - C and E.

The AWS Documentation mentions the following :

You can create a load balancer with the following security features.

SSL Server Certificates.

If you use HTTPS or SSL for your front-end connections, you must deploy an X.509 certificate (SSL server certificate) on your load balancer.

The load balancer decrypts requests from clients before sending them to the back-end instances (known as SSL termination)

For more information, see SSL/TLS Certificates for Classic Load Balancers.

If you don't want the load balancer to handle the SSL termination (known as SSL offloading), you can use TCP for both the front-end and back-end connections, and deploy certificates on the registered instances handling requests.

Reference Link:

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-listener-config.html

Create a Classic Load Balancer with an HTTPS Listener.

A load balancer takes requests from clients and distributes them across the EC2 instances that are registered with the load balancer.

You can create a load balancer that listens on both the HTTP (80) and HTTPS (443) ports.

If you specify that the HTTPS listener sends requests to the instances on port 80, the load balancer terminates the requests and communication from the load balancer to the instances is not encrypted.

If the HTTPS listener sends requests to the instances on port 443, communication from the load balancer to the instances is encrypted.

Reference Link:

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html

Option A & B are incorrect because they are missing encryption in transit between ELB and EC2 instances.

Option D is incorrect because it is missing encryption at rest on the data associated with the EC2 instances.

The correct answer is B: Use SSL termination with a SAN SSL certificate on the load balancer. Amazon EC2 with all Amazon EBS volumes using Amazon EBS encryption, and Amazon S3 with server-side encryption with customer-managed keys.

Explanation: The security and compliance requirements mandate that all protected health information in the application should use encryption at rest and in transit. Therefore, SSL termination with a SAN SSL certificate on the load balancer is a must. It will ensure secure communication between the client and the load balancer.

Next, the data flows through the load balancer and is stored on Amazon EBS volumes for processing. To ensure encryption at rest, all Amazon EBS volumes should use Amazon EBS encryption. This will ensure that the data stored in the EBS volumes is encrypted and protected from unauthorized access.

Finally, the results are stored in Amazon S3 using the AWS SDK. Amazon S3 provides server-side encryption to protect the data stored in it. To ensure server-side encryption, the application should use Amazon S3 with server-side encryption. Additionally, to meet the compliance requirements, the application should use customer-managed keys for encryption.

Answer A is incorrect because it does not mention the use of customer-managed keys for encryption of data at rest in Amazon S3.

Answer C is incorrect because it mentions OS-level disk encryption on the Amazon EBS volumes, which is not required as Amazon EBS encryption can provide encryption at rest.

Answer D is incorrect because it does not mention encryption at rest for data stored in Amazon EBS volumes.

Answer E is incorrect because it mentions SSL listener on Amazon EC2 instances, which is not required as SSL termination is already being performed on the load balancer.