Which solution would remediate the audit finding while minimizing the effort required?
Upload an SSL certificate to IAM, and configure Amazon CloudFront with the passphrase for the private key.
Call KMS.Encrypt() in the client, passing in the data file contents, and call KMS.Decrypt() server-side.
Use AWS Certificate Manager to provision a certificate on an Elastic Load Balancing in front of the web service’s servers.
Create a new VPC with an Amazon VPC VPN endpoint, and update the web service’s DNS record.
Explanations:
Uploading an SSL certificate to IAM and configuring CloudFront with the passphrase for the private key is not a recommended way to encrypt data in transit. SSL/TLS encryption is typically managed directly on services such as Load Balancers or CloudFront distributions, not via IAM.
Encrypting data using KMS on the client side is unnecessary for securing data in transit. While KMS can be used for encryption, it does not address the core issue of securing data during transmission over untrusted networks. Transport encryption (e.g., HTTPS) is more appropriate.
Provisioning an SSL/TLS certificate using AWS Certificate Manager (ACM) and deploying it on an Elastic Load Balancer (ELB) will ensure that the data is encrypted in transit between the remote workers and the web servers. This is the most effective and scalable solution.
While a VPC VPN endpoint could provide secure communication, it introduces unnecessary complexity and management overhead, especially when it is not needed for securing individual client-to-server communication over the internet. HTTPS/TLS encryption is simpler and more appropriate.