Exam AWS Certified Security - Specialty topic 1 question 84 discussion

B and D for me

The answer is in the question: check for known vulnerabilities (inspector) limit the attack surface (close unnecessary ports) terminating SSL alone in an ELB is only part of a solution, you have to take additional steps with security groups, moving EC2 to private subnets, etc. B&D

BD tick the boxes for the requirements in this question. B. limit the open ports to only the necessary ones. D. Inspector to scan for periodic scans. ELB from the perspective of offloading SSL encryption, does not convince me. ELB can ofc minimize the attack surface, but to "limit the attach surface" with how options are worded, I pick D over E.

AWS best practice: use security groups to limit the attack surface and use Amazon Inspector to scan for vulnerabilities.

B and D are the most correct answers. If they did not ask about vulnerabilities, I would have selected BC because putting an ALB also reduces the surface. https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/attack-surface-reduction.html

I agree on B and D as well.

A: ACM cert cannot be installed on the application servers. B: A must C: Good one D: More important than C E: EKS is not for network traffic encryption.

BD - Use Inspector to scan for vulnerability, and restrict SGs ports opened for known vulnerabilities

B & D. port need to control. Inspector need for scan.

Answer B & D B --> Reduce Attack Surface D --> actual ask of "scan for and mitigate known vulnerabilities"

Rookie here, why not A/E though?

D is quite obvious. C could/would have been right had they not said it was used for SSL offloading. I would have gone for C if they said something like ‘to isolate instances from the internet’. Therefore, B is the best answer (along with D)

Ans: BD 100%

BD is Correct

YOU ARE RIGHT BUT: we using the security group to satisfy the ELB You can specify security groups when you launch an instance, or you can associate the instance with a security group at a later time. All internet traffic to a security group is implicitly denied unless you create an allow rule to permit the traffic. For example, if you have a web application that uses an ELB and a number of Amazon EC2 instances, you might decide to create one security group for the ELB (ELB security group) and one for the instances (web application server security group). You can then create an allow rule to permit internet traffic to the ELB security group, and another rule to permit traffic from the ELB security group to the web application server security group. This ensures that internet traffic can’t directly communicate with your Amazon EC2 instances, which makes it more difficult for an attacker to learn about and impact your application. my take are B and D

Vote for C and D. The reason to go with ELB option is to reduce the attack surface. Instead of exposing all EC2 to the Internet, you put an EBL and hide all EC2 in your private subnet without direct exposure to the internet. They can attack on the ELB but they will not know the server information behind it.

B - SG to Limit attack surface D- Scan vulnerabilities - AWS inspector