Which architecture will provide the MOST secure site access?
Use Amazon Route 53 for domain registration and DNS services. Enable DNSSEC for all Route 53 requests. Use AWS Certificate Manager (ACM) to register TLS/SSL certificates for the shopping website, and use Application Load Balancers configured with those TLS/SSL certificates for the site. Use the Server Name Identification extension in all client requests to the site.
Register 2048-bit encryption keys from a third-party certificate service. Use a third-party DNS provider that uses the customer managed keys for DNSSec. Upload the keys to ACM, and use ACM to automatically deploy the certificates for secure web services to an EC2 front-end web server fleet by using NGINX. Use the Server Name Identification extension in all client requests to the site.
Use Route 53 for domain registration. Register 2048-bit encryption keys from a third-party certificate service. Use a third-party DNS service that supports DNSSEC for DNS requests that use the customer managed keys. Import the customer managed keys to ACM to deploy the certificates to Classic Load Balancers configured with those TLS/SSL certificates for the site. Use the Server Name Identification extension in all clients requests to the site.
Use Route 53 for domain registration, and host the company DNS root servers on Amazon EC2 instances running Bind. Enable DNSSEC for DNS requests. Use ACM to register TLS/SSL certificates for the shopping website, and use Application Load Balancers configured with those TLS/SSL certificates for the site. Use the Server Name Identification extension in all client requests to the site.
Explanations:
This option uses Amazon Route 53 for domain registration and DNS services, enabling DNSSEC to protect against DNS spoofing. It employs AWS Certificate Manager (ACM) for TLS/SSL certificates and Application Load Balancers to terminate SSL, which secures the communication channel. The use of Server Name Indication (SNI) allows for multiple SSL certificates on the same IP address, ensuring that customers are protected against man-in-the-middle attacks.
While this option registers 2048-bit encryption keys for strong encryption, it relies on a third-party DNS provider instead of using Route 53, which does not offer the integrated security features of AWS. Furthermore, it introduces complexity by using NGINX on EC2, which could lead to misconfigurations and potential vulnerabilities, compromising security.
This option also uses a third-party DNS service with customer-managed keys for DNSSEC, which adds complexity and potential security risks. It specifies Classic Load Balancers instead of Application Load Balancers, which may not offer the same level of security features and flexibility for modern web applications.
While using Route 53 and ACM is beneficial, hosting DNS root servers on EC2 instances running Bind complicates the architecture and introduces risks related to server maintenance and configuration. This option does not leverage the integrated security features of AWS DNS services, reducing the overall security posture against man-in-the-middle attacks.
If I had to guess, I’d say the answer is:
Use Amazon Route 53 for domain registration and DNS services. Enable DNSSEC for all Route 53 requests. Use AWS Certificate Manager (ACM) to register TLS/SSL certificates for the shopping website, and use Application Load Balancers configured with those TLS/SSL certificates for the site. Use the Server Name Identification extension in all client requests to the site.