exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 84 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 84
Topic #: 1
[All AWS Certified Security - Specialty Questions]

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

  • A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
  • B. Review the application security groups to ensure that only the necessary ports are open.
  • C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
  • D. Use Amazon Inspector to periodically scan the backend instances.
  • E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
BillyC
Highly Voted 3 years, 9 months ago
B and D for me
upvoted 35 times
ucsdmiami2020
3 years, 8 months ago
https://aws.amazon.com/inspector/ "Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. "
upvoted 4 times
...
...
[Removed]
Highly Voted 3 years, 8 months ago
The answer is in the question: check for known vulnerabilities (inspector) limit the attack surface (close unnecessary ports) terminating SSL alone in an ELB is only part of a solution, you have to take additional steps with security groups, moving EC2 to private subnets, etc. B&D
upvoted 17 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: BD
BD tick the boxes for the requirements in this question. B. limit the open ports to only the necessary ones. D. Inspector to scan for periodic scans. ELB from the perspective of offloading SSL encryption, does not convince me. ELB can ofc minimize the attack surface, but to "limit the attach surface" with how options are worded, I pick D over E.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
AWS best practice: use security groups to limit the attack surface and use Amazon Inspector to scan for vulnerabilities.
upvoted 1 times
...
matrpro
2 years, 2 months ago
Selected Answer: BD
B and D are the most correct answers. If they did not ask about vulnerabilities, I would have selected BC because putting an ALB also reduces the surface. https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/attack-surface-reduction.html
upvoted 1 times
...
dcasabona
2 years, 11 months ago
Selected Answer: BD
I agree on B and D as well.
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: BD
A: ACM cert cannot be installed on the application servers. B: A must C: Good one D: More important than C E: EKS is not for network traffic encryption.
upvoted 2 times
...
ceros399
3 years, 3 months ago
Selected Answer: BD
BD - Use Inspector to scan for vulnerability, and restrict SGs ports opened for known vulnerabilities
upvoted 1 times
...
Pratham123
3 years, 5 months ago
B & D. port need to control. Inspector need for scan.
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
Answer B & D B --> Reduce Attack Surface D --> actual ask of "scan for and mitigate known vulnerabilities"
upvoted 1 times
...
AkaAka4
3 years, 7 months ago
Rookie here, why not A/E though?
upvoted 1 times
TigerInTheCloud
3 years, 2 months ago
A: ACM cert cannot be installed on the application servers. E: EKS is not for network traffic encryption.
upvoted 1 times
...
...
haroldhil220
3 years, 8 months ago
D is quite obvious. C could/would have been right had they not said it was used for SSL offloading. I would have gone for C if they said something like ‘to isolate instances from the internet’. Therefore, B is the best answer (along with D)
upvoted 1 times
...
sanjaym
3 years, 8 months ago
Ans: BD 100%
upvoted 1 times
EA_Practice
3 years, 8 months ago
you are persistently good with useless responses. Keep on!
upvoted 7 times
...
...
NANDY666
3 years, 8 months ago
BD is Correct
upvoted 1 times
...
argol
3 years, 8 months ago
YOU ARE RIGHT BUT: we using the security group to satisfy the ELB You can specify security groups when you launch an instance, or you can associate the instance with a security group at a later time. All internet traffic to a security group is implicitly denied unless you create an allow rule to permit the traffic. For example, if you have a web application that uses an ELB and a number of Amazon EC2 instances, you might decide to create one security group for the ELB (ELB security group) and one for the instances (web application server security group). You can then create an allow rule to permit internet traffic to the ELB security group, and another rule to permit traffic from the ELB security group to the web application server security group. This ensures that internet traffic can’t directly communicate with your Amazon EC2 instances, which makes it more difficult for an attacker to learn about and impact your application. my take are B and D
upvoted 2 times
...
Paagee
3 years, 8 months ago
Vote for C and D. The reason to go with ELB option is to reduce the attack surface. Instead of exposing all EC2 to the Internet, you put an EBL and hide all EC2 in your private subnet without direct exposure to the internet. They can attack on the ELB but they will not know the server information behind it.
upvoted 2 times
Paagee
3 years, 8 months ago
Here is the link from AWS about reduction of attack surface "Typically, users can quickly and easily use an application without requiring that AWS resources be fully exposed to the internet. For example, when you have Amazon EC2 instances behind an ELB, the instances themselves might not need to be publicly accessible. Instead, you could provide users with access to the ELB on certain TCP ports and allow only the ELB to communicate with the instances" https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/obfuscating-aws-resources-bp1-bp4-bp5.html
upvoted 2 times
...
...
kalzht00
3 years, 8 months ago
B - SG to Limit attack surface D- Scan vulnerabilities - AWS inspector
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...