While preparing for the SAP-C02, many candidates mistakenly believe that attaching an ACM certificate to an ALB automatically provides end-to-end encryption. In the real world, this is fundamentally a decision about security posture vs. operational overhead. The phrase ’end-to-end’ is the critical keyword that changes everything. Let’s drill into a simulated scenario.
The Scenario #
GlobalRetail Inc., a multinational e-commerce platform, is migrating its customer-facing web application to AWS. The application will run on a fleet of Amazon EC2 instances behind a load balancer to handle traffic spikes during seasonal sales.
The company’s Chief Information Security Officer (CISO) has mandated a strict security requirement: all data transmitted between end-users and the web servers must be encrypted in transit with no unencrypted segments, even within the AWS infrastructure. This is driven by compliance requirements for handling payment card information.
Key Requirements #
Implement a load balancing solution that ensures complete end-to-end TLS encryption from the client browser to the EC2 instances, with minimal operational complexity where possible.
The Options #
- A) Deploy EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate through AWS Certificate Manager (ACM) and associate it with the ALB. Export the SSL certificate from ACM and install it on each EC2 instance. Configure the ALB to listen on port 443 and forward traffic to port 443 on the instances.
- B) Associate EC2 instances with a target group. Provision an SSL certificate through AWS Certificate Manager (ACM). Create an Amazon CloudFront distribution configured to use the ACM certificate. Set the CloudFront origin to the target group.
- C) Deploy EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate through AWS Certificate Manager (ACM) and associate it with the ALB. Obtain a third-party SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and forward traffic to port 443 on the instances.
- D) Deploy EC2 instances behind a Network Load Balancer (NLB). Obtain a third-party SSL certificate and install it on both the NLB and each EC2 instance. Configure the NLB to listen on port 443 and forward traffic to port 443 on the instances.
Correct Answer #
Option C.
Step-by-Step Winning Logic #
Option C is the only solution that satisfies the end-to-end encryption requirement while using AWS-native services efficiently:
-
ACM for ALB (Client → ALB encryption): Using ACM provides a free, auto-renewing certificate for the ALB listener. This handles the first TLS termination point at no certificate cost.
-
Third-party certificate for EC2 instances (ALB → EC2 encryption): Because ACM certificates cannot be exported (AWS retains the private key for security), you must use a separate certificate source for the backend instances. This creates the second TLS segment.
-
HTTPS throughout the path: Traffic flows as
Client --[HTTPS]--> ALB --[HTTPS]--> EC2, with no plaintext segment inside the VPC. -
Professional-level insight: The question tests whether you understand ACM’s architectural limitation—it’s designed for AWS-managed endpoints (ALB, CloudFront, API Gateway), not customer-managed EC2 instances.
💎 The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
-
Why not Option A?
Fatal flaw: You cannot export ACM certificates. The private key never leaves AWS’s hardware security modules (HSMs). While the rest of the architecture is correct, this option is technically impossible to implement. This is a common trap for candidates who assume ACM works like traditional certificate authorities. -
Why not Option B?
Architectural mismatch: CloudFront is a CDN, not a load balancer for origin servers. More critically, you cannot set a “target group” as a CloudFront origin—origins must be S3 buckets, HTTP servers, or MediaStore containers. This option conflates services and demonstrates a misunderstanding of CloudFront’s purpose. Additionally, CloudFront adds unnecessary latency and cost if the requirement is only encryption, not global content delivery. -
Why not Option D?
Certificate incompatibility: Network Load Balancers operate at Layer 4 (TCP/UDP) and, until late 2019, did not support TLS termination at all. Even with TLS listener support, NLB cannot use ACM certificates in passthrough mode, and installing certificates “on the NLB” isn’t the correct operational model. NLBs performing TLS termination still use ACM (not third-party certs installed directly), making this description technically inaccurate. The better NLB approach would be TLS passthrough (letting EC2 handle all encryption), but that’s not what this option describes.
The Architect Blueprint #
graph TB
Client([End User Browser]) -->|HTTPS :443
ACM Certificate| ALB[Application Load Balancer]
ALB -->|HTTPS :443
Third-Party Certificate| EC2_1[EC2 Instance 1
Web Server]
ALB -->|HTTPS :443
Third-Party Certificate| EC2_2[EC2 Instance 2
Web Server]
ALB -->|HTTPS :443
Third-Party Certificate| EC2_3[EC2 Instance 3
Web Server]
style ALB fill:#FF9900,stroke:#232F3E,stroke-width:3px,color:#fff
style EC2_1 fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff
style EC2_2 fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff
style EC2_3 fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff
style Client fill:#232F3E,stroke:#FF9900,stroke-width:2px,color:#fff
Diagram Note: Two distinct TLS tunnels ensure no plaintext transmission—ACM secures the public internet connection, while third-party certificates installed via automation (Systems Manager, user data, or configuration management) secure the internal AWS network segment.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A | Medium | Not Viable | Leverages ACM’s auto-renewal; familiar ALB setup | Impossible to implement—ACM private keys cannot be exported; option fails at implementation |
| B | High | $650+ | CloudFront provides DDoS protection (AWS Shield Standard); global edge caching | Target groups are not valid CloudFront origins; adds unnecessary CDN cost (~$85/TB + $600/mo request fees); introduces latency for non-cacheable dynamic content; architectural mismatch |
| C ✅ | Medium-High | $50-150 | Meets end-to-end encryption requirement; ACM certificate = $0; proven architecture | Requires certificate lifecycle management for EC2 fleet (renewal automation needed via Ansible/Chef or AWS Systems Manager); third-party cert cost (~$50-150/yr for multi-domain) |
| D | Medium | $35-100 | NLB lower cost than ALB (~$16/mo vs ~$23/mo); high throughput for TCP | Technically inaccurate description—NLBs don’t support “installing” third-party certs directly; TLS termination on NLB still uses ACM; better suited for TLS passthrough (not described here); loses ALB’s Layer 7 capabilities (host-based routing, WAF integration) |
Cost Breakdown Notes:
- ALB:
$23/month (720 hours) + $0.008/LCU-hour ($6-20/mo for moderate traffic) = $30-45/mo base - ACM Certificate: $0 (free for AWS-integrated services)
- Third-party certificate: ~$50-150/year depending on provider (Let’s Encrypt = free but requires automation, DigiCert/Sectigo = $50-150/yr)
- CloudFront (Option B): $600/mo for 10M requests + $85/TB data transfer = prohibitively expensive for non-CDN use cases
- NLB (Option D):
$16/month + $0.006/NLCU-hour ($4-15/mo) = $20-35/mo base (cheaper than ALB but less feature-rich)
Real-World Practitioner Insight #
Exam Rule #
For the SAP-C02, when you see “end-to-end encryption” combined with ALB and EC2, always look for:
- ACM certificate on the ALB (never pay for LB certificates)
- Separate certificate mechanism for EC2 instances (ACM export is impossible)
- Reject any option suggesting ACM certificate export
This pattern appears in 3-5 questions per exam in various forms (ALB, CloudFront, API Gateway scenarios).
Real World #
In production environments at scale, we typically implement this using:
-
AWS Certificate Manager Private CA (ACM PCA): Issue internal certificates to EC2 instances programmatically ($400/month for the CA + $0.75/cert). This allows automated certificate distribution without third-party vendors while maintaining ACM integration.
-
Let’s Encrypt + Automation: For cost-sensitive projects, deploy certbot with AWS Systems Manager Automation documents to renew certificates every 60 days. Total cost = $0, but requires robust automation (infrastructure-as-code).
-
HashiCorp Vault: Enterprises with existing Vault deployments use it as a PKI backend to issue short-lived certificates (24-72 hour TTL) to instances, eliminating renewal concerns entirely.
-
Layer 7 WAF consideration: In reality, most companies also attach AWS WAF to the ALB (additional $5/month + $1/million requests), adding protection against OWASP Top 10 attacks—a requirement the exam question omitted but would exist in a PCI-DSS environment.
The hidden cost: Certificate management automation labor. A mid-sized deployment (100 instances) requires ~16-24 hours of DevOps time to build auto-renewal pipelines, plus ongoing maintenance. This “hidden FinOps cost” often exceeds the certificate purchase price itself.