Which of the following minimizes the potential attack surface for applications?
A.
Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
B.
Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
C.
Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
D.
Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.
Correct answer A. From Devjava post:
From https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Always use security groups: They provide stateful firewalls for Amazon EC2
instances at the hypervisor level. You can apply multiple security groups to a
single instance, and to a single ENI.
The answer is A because the best practice is to use security groups over NACL's whenever possible. Furthermore, security groups reduce the attack surface at the hypervisor level.
I thought B, after reading again, NACLs are stateless. Confused between A and D. But ChatGPT response is: Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Best practices for network security in the AWS cloud include the following:
• Always use security groups: They provide stateful firewalls for Amazon EC2
instances at the hypervisor level. You can apply multiple security groups to a
single instance, and to a single ENI.
A is incorrect, the ec2 location is a private network, not a surface.
B is incorrect, Netwok ACL is stateless
C is incoreect, 'AWS Direct Connect' is no surface.
A is nonsense. They are using XEN hypervisor, i don't think they're setting firewall on a hypervisor level but maybe I'm wrong. They probably do use openvswitch as a SDN layer which is running in linux userspace !!! https://wiki.xenproject.org/wiki/Xen_Networking
Always use security groups: They provide stateful firewalls for Amazon EC2
instances at the hypervisor level. You can apply multiple security groups to a
single instance, and to a single ENI.
Reference: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Always use security groups: They provide stateful firewalls for Amazon EC2
instances at the hypervisor level. You can apply multiple security groups to a
single instance, and to a single ENI.
Copied AnNguyen's explanation for being able to vote.
Answer is A
B: NACL is stateless
C: Direct Connect connect AWS and on-premise, not in among private subnets
D: Should be multi-layer, not single-layer
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AnNguyen
Highly Voted 3 years, 2 months agocloudguy365
Highly Voted 3 years, 2 months agoDahMac
3 years, 1 month agodfranco76
3 years, 1 month agoRaphaello
Most Recent 10 months, 1 week agoITGURU51
1 year, 6 months agoEll89
1 year, 9 months agoNan001
1 year, 10 months agoMolkaka
1 year, 11 months agoGaniGaniGani
1 year, 11 months agosky_top_onestart
2 years agohubekpeter
2 years agosakibmas
2 years, 1 month agoarae
2 years, 2 months agosapien45
2 years, 4 months agoryuhei
2 years, 5 months agoTigerInTheCloud
2 years, 8 months agoceros399
2 years, 8 months agoRadhaghosh
2 years, 10 months ago