A cloud administrator is configuring a web application hosted on a public cloud VM. The application must be accessible over HTTPS, and the administrator needs to ensure that all traffic between the client and the server is encrypted. The cloud provider offers a managed certificate service. Which of the following is the BEST practice for securing the application?
The managed service automates certificate lifecycle, reducing administrative overhead and risk.
Why this answer
The cloud provider's managed certificate service automatically handles certificate provisioning, renewal, and attachment to the load balancer, ensuring HTTPS traffic is encrypted with a trusted certificate from a public CA. This is the best practice because it offloads TLS termination to the load balancer, reducing the VM's CPU overhead and centralizing certificate management. It also ensures the certificate is automatically renewed before expiry, preventing service disruptions.
Exam trap
The trap here is that candidates may think manually installing a certificate from a public CA (Option D) is more secure or gives more control, but the cloud provider's managed service is the best practice because it automates lifecycle management and offloads TLS termination to the load balancer, reducing attack surface and operational burden.
How to eliminate wrong answers
Option B is wrong because a self-signed certificate is not trusted by client browsers, causing security warnings and breaking the trust model required for public HTTPS. Option C is wrong because disabling HTTPS removes application-layer encryption, leaving traffic vulnerable to interception even if network-level encryption (like IPsec) is used, as it does not protect against man-in-the-middle attacks at the application layer. Option D is wrong because manually installing a certificate and private key on the VM increases management overhead, risks exposing the private key, and does not leverage the cloud provider's automated renewal and load balancer integration.