Which of the following is not an ideal design recommendation of encrypting data in transit in AWS

Answer options:

A.Limit the number of public subnets
B.Route egress traffic through a NAT instance
C.When using ELB terminate the TLS connection at the back end instances
D.Ensure that security groups and NACLs are configured to address the requirements of the PCI DSS.

Answer - C
The following design recommendations from the AWS documentation is present for encrypting data in transit
1. Limit the number of public subnets. Public subnets within Amazon VPC are similar to the demilitarized zone (DMZ) referred to in the PCI DSS.
2. Route egress traffic to the Internet through a network address translation (NAT) located in the public subnet and deploy all other hosts in private subnets.
3. Enable source/destination checks at the instance level to provide additional safeguards around isolation of network traffic.
4. Ensure that security groups and NACLs are configured to address the requirements of the PCI DSS.
5. Consider terminating the TLS connections at the front-end ELB layer or the WAF layer in the public subnet of Amazon VPC, and configuring non-TLS connections for traffic between private subnets.
For more information on this please see the below link:
https://aws.amazon.com/blogs/security/how-to-address-the-pci-dss-requirements-for-data-encryption-in-transit-using-amazon-vpc/