The correct answer is D. Import a new third-party certificate into AWS Certificate Manager (ACM). Associate the certificate with the ALB. Install the certificate on the EC2 instances.
This answer is correct because it meets the requirements of complete encryption of the traffic between external users and the application. By importing a third-party certificate into ACM, the security engineer can use it to secure the communication between the ALB and the clients. By installing the same certificate on the EC2 instances, the security engineer can also secure the communication between the ALB and the instances.This way, both the front-end and back-end connections are encrypted withSSL/TLS1.
The other options are incorrect because:
A.Creating a new Amazon-issued certificate in AWS Secrets Manager is not a solution, because AWS Secrets Manager is not a service for issuing certificates, but for storing and managing secrets such as database credentials and API keys2. AWS Secrets Manager does not integrate with ALB or EC2 for certificate deployment.
B.Creating a new Amazon-issued certificate in AWS Certificate Manager (ACM) and exporting it from ACM is not a solution, because ACM does not allow exporting Amazon-issued certificates3.ACM only allows exporting private certificates that are issued by an AWS Private Certificate Authority (CA)4.
C.Importing a new third-party certificate into AWS Identity and Access Management (IAM) is not a solution, because IAM is not a service for managingcertificates, but for controlling access to AWS resources5. IAM does not integrate with ALB or EC2 for certificate deployment.
[References:, 1:How SSL/TLS works2:What is AWS Secrets Manager?3:Exporting an ACM Certificate4:Exporting Private Certificates from ACM5:What is IAM?, , , , , ]
