exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 94 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 94
Topic #: 1
[All AWS Certified Security - Specialty Questions]

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.
Which of the following mitigations should be recommended?

  • A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
  • B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
  • C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
  • D. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
BillyC
Highly Voted 3 years, 9 months ago
A is Correct
upvoted 21 times
...
Milind
Highly Voted 3 years, 9 months ago
A is correct there is no option to mark VPC as private.You need change the route table to disable the internet connectivity
upvoted 19 times
rip72
3 years, 8 months ago
"Mark it as Private" is what eliminated B for me. If the option had been to configure it as a private subnet, I would have a different opinion.
upvoted 2 times
...
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
A is the correct answer.
upvoted 1 times
...
yorkicurke
1 year, 6 months ago
Selected Answer: A
Almost gone for C but then realized you can make VPC private you do that to subnet. Also just because disabling Elastic IP addresses within VPC configuration does not prevent a subnet from being exposed to the internet.
upvoted 1 times
yorkicurke
1 year, 6 months ago
Sorry i meant to say 'you can NOT make VPC private'
upvoted 1 times
...
...
pk0619
2 years ago
Selected Answer: A
A is correct
upvoted 1 times
...
ITGURU51
2 years ago
In AWS, a VPC is private by default. This means that all the resources within the VPC are not accessible from the internet unless you explicitly allow it by configuring an internet gateway and updating the route tables and security groups. There is no specific option to mark a VPC as private, but you can ensure that it remains private by not configuring an internet gateway and not allowing inbound traffic from the internet. A
upvoted 4 times
...
ITGURU51
2 years, 3 months ago
Auto remediation is considered an AWS best practice, therefore A is the best possible choice.
upvoted 2 times
...
skillz2investor
2 years, 7 months ago
Selected Answer: A
A is correct.
upvoted 2 times
...
knc
2 years, 9 months ago
Selected Answer: A
Use of config rules allows to detect the deviation from the desired state and use lambda to remidate/rollback the changes.
upvoted 1 times
...
Rja148393
2 years, 11 months ago
Selected Answer: A
A - config rules like these https://docs.aws.amazon.com/config/latest/developerguide/internet-gateway-authorized-vpc-only.html can be used
upvoted 4 times
...
roger8978
3 years, 6 months ago
Only A makes sense
upvoted 1 times
...
Kdosec
3 years, 8 months ago
A is correct, just with AWS Config and Lambda in this case. https://aws.amazon.com/blogs/mt/manage-custom-aws-config-rules-with-remediations-using-conformance-packs/
upvoted 2 times
...
DerekKey
3 years, 8 months ago
Strange that nobody checked other answers. A is WRONG - AWS Config will not start Lambda. It is the AWS Config Rule that does it. B is WRONG - no option to set VPC as private (no internet) C looks OK - default VPC doesn't have routing for IPv6 set to IGW and IPv6 addressing is not enabled by default. You have to manually make necessary changes to enabled it. So changing addressing to IPv6 will prevent EC2 from being accessible from internet even if there is an IGW turned on D - Dedicated Host will be placed in a VPC (more control and config but same EC2 features)
upvoted 1 times
DerekKey
3 years, 8 months ago
C is WRONG - I was too fast. VPC is IPv4 by default but you can not use IPv6 exclusively and disable IPv4 addressing The only answer sounding closest to the solution that I would use is answer A. It is a simplification of the process/steps but overall describes what could be done.
upvoted 4 times
...
...
sanjaym
3 years, 8 months ago
Ans: A 100%
upvoted 2 times
...
Edgecrusher77
3 years, 8 months ago
Correct is A B: Show me where you can mark the VPC as private !!
upvoted 2 times
...
NANDY666
3 years, 8 months ago
A is correct
upvoted 1 times
...
devjava
3 years, 8 months ago
Ans > A
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...