ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An Amazon Application Load Balancer (ALB) terminates HTTPS for a public REST API backed by EC2 instances. A security scan shows the ALB still offers TLS 1.0 cipher suites that use 3DES, exposing the site to SWEET32. Corporate policy now demands that Internet clients use TLS 1.2 or later, but legacy on-prem controllers (from a known CIDR) can only connect with TLS 1.0 using AES128-SHA. Without adding new AWS services, which change best mitigates the vulnerability while keeping all clients operational?
Move TLS termination to the EC2 instances and configure their web servers to disable 3DES while keeping TLS 1.0 enabled, leaving the ALB to forward TCP traffic.
Create an additional HTTPS listener on port 8443 with a custom SSL policy that allows only TLS 1.0/AES128-SHA, update the ALB's security group to permit port 8443 only from the corporate CIDR, and set the 443 listener to a TLS 1.2-only policy.
Enable AWS WAF on the ALB and create a rule to block any requests that use 3DES cipher suites, leaving the existing listener configuration unchanged.
Replace the ALB's current SSL policy with the predefined ELBSecurityPolicy-TLS-1-2-2017-01 so only TLS 1.2 cipher suites are offered to every client.
Adding a second HTTPS listener lets you apply different SSL policies on different ports. Re-configure the existing 443 listener to use an AWS TLS 1.2-only policy so public traffic cannot negotiate 3DES, eliminating the SWEET32 risk. Create a new listener on an alternate port (such as 8443) that uses a custom policy permitting only TLS 1.0 with AES128-SHA for the legacy controllers. Because an ALB's security group is applied to the entire load balancer and can include port-specific ingress rules, you can allow inbound traffic on port 8443 solely from the corporate CIDR while still allowing 0.0.0.0/0 on port 443. Simply enforcing TLS 1.2 on the current listener would break the controllers; moving TLS termination to the instances would add operational overhead and require other load-balancer changes; AWS WAF cannot filter by cipher suite, so it cannot address the SWEET32 exposure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS SWEET32 vulnerability?
Open an interactive chat with Bash
How does an Application Load Balancer (ALB) handle HTTPS traffic?
Open an interactive chat with Bash
Why is creating a separate listener on port 8443 beneficial?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .