AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has a three-tier application on AWS that ingests sensor data from its users' devices. The traffic flows through a Network Load Balancer (NLB), then to Amazon EC2 instances for the web tier, and finally to EC2 instances for the application tier. The application tier makes calls to a database. What should a solutions architect do to improve the security of the data in transit?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure a TLS listener. Deploy the server certificate on the NLB.

Configure AWS Shield Advanced. Enable AWS WAF on the NLB.

Change the load balancer to an Application Load Balancer (ALB). Enable AWS WAF on the ALB.

Encrypt the Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instances by using AWS Key Management Service (AWS KMS).

Explanation:

Explanation

Correct Answer: A

Why Option A is correct:

The question specifically asks about improving security of data in transit (data moving between client and server).
A Network Load Balancer (NLB) operates at Layer 4 (transport layer) and can terminate TLS connections.
By configuring a TLS listener and deploying a server certificate on the NLB, you enable encryption for data in transit between clients and the NLB.
This ensures that sensor data from users' devices is encrypted during transmission over the internet.

Why other options are incorrect:

Option B:

AWS Shield Advanced provides DDoS protection, which is about availability, not specifically about encrypting data in transit.
AWS WAF (Web Application Firewall) protects against web exploits but doesn't encrypt data in transit.
NLB doesn't support AWS WAF integration (only ALB and CloudFront support WAF).

Option C:

Changing to ALB and enabling WAF adds web application security but doesn't directly address encryption of data in transit.
While ALB can terminate TLS, the question already has an NLB, and simply enabling WAF doesn't encrypt data.
This option adds unnecessary complexity by changing infrastructure when the existing NLB can already handle TLS termination.

Option D:

Encrypting EBS volumes protects data at rest (stored data), not data in transit.
EBS encryption secures data on disk but doesn't affect network traffic between clients and servers.

Key Concepts:

Data in transit vs data at rest: Different security measures apply to each.
TLS termination at NLB: NLBs can terminate TLS connections at Layer 4, providing encryption for client-to-NLB traffic.
Certificate management: Server certificates must be deployed on the load balancer for TLS termination.
Security layers: DDoS protection (Shield), web application security (WAF), and encryption (TLS) address different security concerns.

Powered ByGPT-5.2

Comments

Loading comments...