MemberMay 5, 2020 at 1:52 pm
The suggested answer to the following question has 2 possible problems: a) a Bank should never allow unencrypted traffic from ELB to EC2, b) IAM access to ACM for the ELB role is not provided.
The question is:
You are an IT Consultant for a leading commercial bank which has multiple AWS accounts that are consolidated using AWS Organizations. They are building an online portal for the foreclosed real estate properties they own. The online portal is designed to use SSL for better security. The bank would like to implement a separation of responsibilities between the DevOps team and their cybersecurity team. The DevOps team are entitled to manage and log in to the EC2 instances while the cybersecurity team has the exclusive access to the application’s X.509 certificate, which contains the private key and stored in AWS Certificate Manager (ACM).
In this scenario, which configuration option would satisfy the requirement?
AdministratorMay 7, 2020 at 12:38 pm
The provided answer for this scenario is:
Configure an IAM policy that authorizes access to the certificate store only for the cybersecurity team and then add a configuration to terminate the SSL on the ELB.
You have a valid point that some banks require end-to-end data encryption from the client’s computer to the load balancer and finally to the application server (EC2 instances), especially for payments and transactions. However, there are also some use cases where you don’t need it. In this scenario, the bank is only using the EC2 instances to host its online portal for the foreclosed real estate properties that they own. You can also place the EC2 instances in a private subnet behind an application load balancer, to minimize any data exposure from the public Internet.
Although providing IAM access to ACM for the ELB role is ideal, it is not a common step to take since ACM and ELB can already access each other by default. The main point of the scenario is the resource access of each team and not of the application. In associating a certificate to an ELB, you don’t usually create a custom policy to access the ACM. Below are the steps:
Jon Bonso @ Tutorials Dojo
Log in to reply.