Home › Forums › AWS › AWS Certified Solutions Architect Professional › Question on Bank implementing separation of duties between security and dev team › Reply To: Question on Bank implementing separation of duties between security and dev team
-
Hi Varun,
The provided answer for this scenario is:
Configure an IAM policy that authorizes access to the certificate store only for the cybersecurity team and then add a configuration to terminate the SSL on the ELB.
You have a valid point that some banks require end-to-end data encryption from the client’s computer to the load balancer and finally to the application server (EC2 instances), especially for payments and transactions. However, there are also some use cases where you don’t need it. In this scenario, the bank is only using the EC2 instances to host its online portal for the foreclosed real estate properties that they own. You can also place the EC2 instances in a private subnet behind an application load balancer, to minimize any data exposure from the public Internet.
Although providing IAM access to ACM for the ELB role is ideal, it is not a common step to take since ACM and ELB can already access each other by default. The main point of the scenario is the resource access of each team and not of the application. In associating a certificate to an ELB, you don’t usually create a custom policy to access the ACM. Below are the steps:
https://aws.amazon.com/premiumsupport/knowledge-center/associate-acm-certificate-alb-nlb/
Regards,
Jon Bonso @ Tutorials Dojo