Which solutions can the security engineer use to create a certificate and deploy the certificate at the ALB to meet these requirements?
(Choose two.)
Use TLS tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM).Specify the certificate for the TLS listener on the ALB.
Use AWS Certificate Manager (ACM) to request a certificate. Specify the certificate fort the TLS listener on the ALB.
Use AWS Key Management Service (AWS KMS) tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
Configure automatic TLS support in the ECS cluster. Configure the ALB to pass the TLS connection to the containers in the cluster.
Generate a certificate while creating the ECS cluster. Import the certificate into AWS Certificate Manager (ACM). Specify the certificate for the TLS listener on the ALB.
Explanations:
The process of creating a certificate signing request (CSR), getting it signed by a certificate authority (CA), importing it into AWS Certificate Manager (ACM), and specifying it on the ALB is a valid solution for terminating TLS traffic.
AWS Certificate Manager (ACM) can directly issue and manage certificates. The certificate can be specified for the TLS listener on the ALB, making this a valid solution.
AWS Key Management Service (KMS) does not provide tools for directly creating a certificate. KMS is used for key management, not certificate signing.
The ECS service does not automatically handle TLS termination or support for passing TLS connections to containers. The ALB needs to handle TLS termination before traffic reaches the ECS containers.
While a certificate can be generated for an ECS cluster, the ECS service itself does not manage certificates or TLS termination. Certificates must be managed using ACM, not the ECS service.
I believe the answer is:
Use TLS tools to create a certificate signing request (CSR). Get the CSR signed by a certificate authority (CA) to produce a certificate. Import the certificate into AWS Certificate Manager (ACM).Specify the certificate for the TLS listener on the ALB.