Securing Your AWS EC2 Instances with TLS - Fixing Load Balancer Listener Issue

Fixing Load Balancer Listener Issue

Prev Question Next Question

Question

A Node.js software team has developed a recipe application that end-users can search and share recipes.

The team deployed the app in AWS EC2 instances with a network load balancer.

A recent security audit has discovered an issue that the load balancer listener is not using TLS.

That means the application is at a security risk and is prone to be threatened by man in the middle attack.

Which below choices are correct to help fix this issue? Select 2.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answer - A, C.

For network load balancer, if TLS is used for the listener, a certificate must be identified for the listener to use as below.

The certificate can come from ACM or IAM.

ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer.

However, there are regions that ACM is not supported.

A certificate in IAM would be another alternative.

Details can be found in https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html.

Option A is CORRECT because configuring a certificate in ACM is a recommended method when TLS is chosen for the listener.

Option B is incorrect because HTTPS is for an application load balancer rather than a network load balancer.

Option C is CORRECT because a certificate in IAM can be used for TLS listeners.

Option D is incorrect because KMS is not a valid service to provide a certificate for TLS listeners.

And the protocol of SSL is inaccurate for network load balancer as well.

Option E is incorrect because the Secrets Manager cannot provide a certificate for TLS listeners.

1. Configure Load Balancer 2. Configure Security Settings 3. Configure Routing 4. Register Targets 5. Review Step 2: Configure Security Settings Select default certificate AWS Certificate Manager (ACM) is the preferred tool to provision and store server certificates. If you previously stored a server certificate using IAM, you can deploy it to your load balancer. Learn more about TLS listeners and certificate management. Certificate type | @Choose a certificate from ACM (recommended) Upload a certificate to ACM (recommended) Choose a certificate from IAM Upload a certificate to [AM Request a new certificate from ACM AWS Certificate Manager makes it easy to provision, manage, deploy, and renew SSL Certificates on the AWS platform. ACM manages certificate renewals for you. Learn more Certificate name (j | No existing certificates <> els i) Cancel Previous Next: Configure Routing

The correct options to fix the issue of a Node.js application deployed in AWS EC2 instances with a network load balancer, where the load balancer listener is not using TLS and is at security risk and prone to man-in-the-middle attacks, are A and B.

Option A: Modify the listener protocol to TLS and choose an existing certificate in ACM (AWS Certificate Manager).

This option modifies the listener protocol to TLS, which is a more secure protocol than HTTP or SSL. TLS provides encryption and authentication mechanisms to ensure that data transmitted over the network is secure and cannot be intercepted by attackers. Choosing an existing certificate from ACM (AWS Certificate Manager) ensures that the certificate is valid and trusted by clients. This option is a good choice for applications that require high security.

Option B: Change the listener protocol to HTTPS. Import a new certificate to ACM (AWS Certificate Manager) and use it in the load balancer listener.

This option changes the listener protocol to HTTPS, which is a combination of HTTP and TLS. HTTPS provides authentication, encryption, and integrity protection mechanisms, making it a more secure protocol than HTTP or SSL. Importing a new certificate to ACM ensures that the certificate is valid and trusted by clients. This option is a good choice for applications that require high security.

Option C: Edit the listener by changing the protocol to TLS. Use an existing certificate from IAM.

This option modifies the listener protocol to TLS, which is a more secure protocol than HTTP or SSL. However, using a certificate from IAM is not recommended as IAM is not a certificate authority and does not provide certificate management services. This option is not a good choice for applications that require high security.

Option D: Modify the listener protocol to SSL and choose an existing certificate in KMS (AWS Key Management Service).

This option modifies the listener protocol to SSL, which is an older protocol that has been deprecated in favor of TLS. SSL is less secure than TLS and is no longer recommended for use. Choosing an existing certificate from KMS is also not recommended as KMS is a key management service and does not provide certificate management services. This option is not a good choice for applications that require high security.

Option E: Edit the listener by changing the protocol to TLS. Upload a new key to the Secrets Manager and link the key for the listener to use.

This option modifies the listener protocol to TLS, which is a more secure protocol than HTTP or SSL. However, uploading a new key to the Secrets Manager is not recommended as Secrets Manager is a secrets management service and does not provide certificate management services. This option is not a good choice for applications that require high security.

In summary, options A and B are the best choices to fix the issue of a Node.js application deployed in AWS EC2 instances with a network load balancer, where the load balancer listener is not using TLS and is at security risk and prone to man-in-the-middle attacks. These options provide a more secure protocol (TLS or HTTPS) and ensure that the certificate is valid and trusted by clients.

Prev Question Next Question