Terminate SSL Traffic in Amazon ECS with Application Load Balancer

Answer: C and D.

Option A is incorrect because KMS is used for the storage and management of data encryption keys and would not assist in creating a certificate in ELB.Option B is incorrect because the certificate of ELB is not configured through the ECS service.

Option C is CORRECT because you can use OpenSSL to generate certificates and upload the certificates to IAM/ACM for ELB.Option D is CORRECT because AWS Certificate Manager (ACM) can be used for creating and managing public SSL/TLS certificates.

Option E is incorrect because Amazon Fargate does not provide support for such functionality.

Reference:

Sure, I'd be happy to explain the steps to create and install a certificate for an Application Load Balancer (ALB) that terminates SSL traffic for an application deployed as a Docker image running on Amazon ECS.

First, it's important to understand that SSL termination is the process of decrypting SSL traffic at the load balancer and then forwarding the traffic to the backend ECS instances as unencrypted HTTP traffic. This is a common pattern for load balancing HTTPS traffic to backend applications.

Now, let's look at the options provided in the question:

A. Create the certificate in Amazon KMS and upload it to the ELB. This option is incorrect because Amazon KMS is a key management service that is used to create and manage encryption keys, not SSL certificates. SSL certificates are issued by certificate authorities (CAs) or can be self-signed.

B. Store the certificate and private key in the ELB through the ECS service. This option is also incorrect because ELB does not support storing SSL certificates and private keys through the ECS service. SSL certificates must be uploaded and managed directly in the AWS Management Console or via API/CLI commands.

C. Use the OpenSSL command to generate a certificate, upload it to IAM and configure ELB to use the certificate. This option is partially correct. OpenSSL is a popular tool for generating SSL certificates, but uploading it to IAM is unnecessary. IAM is a service for managing user identities and access to AWS resources. Instead, SSL certificates can be uploaded directly to AWS Certificate Manager (ACM), which is a managed service that makes it easy to provision, manage, and deploy SSL/TLS certificates for use with AWS services.

Here are the steps to generate an SSL certificate with OpenSSL and upload it to ACM:

1. Use OpenSSL to generate a certificate signing request (CSR) and a private key for the certificate. For example, you can run the following command: openssl req -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
2. Use the CSR to request a certificate from a CA or create a self-signed certificate. For example, you can run the following command to create a self-signed certificate: openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
3. Upload the certificate to AWS Certificate Manager (ACM) in the AWS Management Console or via the AWS CLI. For example, you can run the following command to upload the certificate: aws acm import-certificate --certificate file://mydomain.crt --private-key file://mydomain.key --region us-west-2
4. After the certificate is uploaded to ACM, you can use it with your ALB by selecting the certificate in the listener configuration for the load balancer.

D. Request a certificate in ACM and configure the Application Load Balancer to use the certificate. This option is correct and similar to option C, but instead of generating a certificate with OpenSSL, it suggests requesting a certificate directly from ACM. This is the recommended approach as ACM provides managed certificates that can be easily renewed and managed. The steps for this option are as follows:

1. Request a certificate in ACM in the AWS Management Console or via the AWS CLI. For example, you can run the following command to request a certificate: aws acm request-certificate --domain-name mydomain.com --subject-alternative-names www.mydomain.com --validation-method DNS --region us-west-2
2. After the certificate is issued and validated, you can use it with your ALB by selecting the certificate in the listener configuration for the load balancer.

E. Use Amazon Fargate as the container compute engine. It offers native TLS security in the Application Load Balancer. This option