What is the MOST secure way to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
Example.com is hosted on Amazon EC2 instance behind an Application Load Balancer (ALB).Third-party host intrusion detection system (HIDS) agents that capture the traffic of the EC2 instance are running on each host.The company must ensure they are using privacy enhancing technologies for users, without losing the assurance the third-party solution offers.

What is the MOST secure way to meet these requirements?

Enable TLS pass through on the ALB, and handle decryption at the server using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and pass the traffic in the clear to the server.

Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

Create a listener on the ALB that does not enable Perfect Forward Secrecy (PFS) cipher suites, and use encrypted connections to the servers using Elliptic Curve Diffie-Hellman (ECDHE) cipher suites.

2025-10-13

1 Comment

  1. Eric
    Author

    In my opinion, the answer is:
    Create a listener on the ALB that uses encrypted connections with Elliptic Curve Diffie-Hellman (ECDHE) cipher suites, and use encrypted connections to the servers that do not enable Perfect Forward Secrecy (PFS).

Leave a Reply

Your email address will not be published. Required fields are marked *

two − one =