The load balancer can terminate HTTPS and redirect HTTP to HTTPS.
Why this answer
Option C is correct because Elastic Beanstalk environments using a load balancer (ALB or CLB) can be configured to listen on port 443 with the ACM certificate for HTTPS termination, and simultaneously define a listener on port 80 with a redirect action that sends HTTP traffic to HTTPS. This is the simplest and most scalable approach, as it offloads SSL termination and redirection to the load balancer, eliminating the need to manage certificates or redirection logic on individual instances.
Exam trap
The trap here is that candidates often assume SSL termination must happen on the EC2 instances (Option B) or that a separate service like CloudFront (Option D) is required, when in fact the Elastic Beanstalk load balancer can natively handle both HTTPS termination and HTTP-to-HTTPS redirection with minimal configuration.
How to eliminate wrong answers
Option A is wrong because a NAT instance is used for outbound traffic from private subnets, not for SSL termination or HTTP-to-HTTPS redirection; it does not support load balancing or certificate management. Option B is wrong because installing the certificate on each EC2 instance and configuring the web server to redirect HTTP to HTTPS is inefficient, requires manual certificate renewal, and does not leverage Elastic Beanstalk's managed load balancer for centralized SSL termination. Option D is wrong because while CloudFront can redirect HTTP to HTTPS, it adds unnecessary complexity and cost for a simple single-region web app; the question specifically asks about configuring the Elastic Beanstalk environment, not an external CDN.