A Node.js software team has developed a recipe application that end-users can search and share recipes. The team deployed the app in AWS EC2 instances with a network load balancer. A recent security audit has discovered an issue that the load balancer listener is not using TLS. That means the application is at a security risk and is prone to be threatened by man in the middle attack. Which below choices are correct to help fix this issue? Select 2.

Answer options:

A.Modify the listener protocol to TLS and choose an existing certificate in ACM (AWS Certificate Manager).
B.Change the listener protocol to HTTPS. Import a new certificate to ACM (AWS Certificate Manager) and use it in the load balancer listener.
C.Edit the listener by changing the protocol to TLS. Use an existing certificate from IAM.
D.Modify the listener protocol to SSL and choose an existing certificate in KMS (AWS Key Management Service).
E.Edit the listener by changing the protocol to TLS. Upload a new key to the Secrets Manager and link the key for the listener to use.

Correct Answer – A, C
 
For network load balancer, if TLS is used for the listener, a certificate must be identified for the listener to use as below.
The certificate can come from ACM or IAM. ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. However, there are regions that ACM is not supported. A certificate in IAM would be another alternative. Details can be found in https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html.
Option A is CORRECT because configuring a certificate in ACM is a recommended method when TLS is chosen for the listener.
Option B is incorrect because HTTPS is for an application load balancer rather than a network load balancer.
Option C is CORRECT because a certificate in IAM can be used for TLS listeners.
Option D is incorrect because KMS is not a valid service to provide a certificate for TLS listeners. And the protocol of SSL is inaccurate for network load balancer as well.
Option E is incorrect because the Secrets Manager cannot provide a certificate for TLS listeners.