Exam AWS Certified Security - Specialty topic 1 question 83 discussion

B & D are correct. A is incorrect. Transitive Peering is not supported. B cant access C. C is incorrect. Edge to Edge routing is not supported E is incorrect. you dont need / cant to complete the penetration test request form edge-to-edge routing in a cloud For example, you have a corporate network connected to one Amazon VPC (A). That VPC is also connected to another VPC (B). Routing from your corporate network through VPC A to reach VPC B is an example of edge to edge routing (and it's not allowed).

AWS Permitted Services for security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed as “Permitted Services.” Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers Amazon RDS Amazon CloudFront Amazon Aurora Amazon API Gateways AWS Lambda and Lambda Edge functions Amazon Lightsail resources Amazon Elastic Beanstalk environments https://aws.amazon.com/security/penetration-testing/ so , C and E : Ruled out A : No transitive peering supported via VPC B and D correct

BD are the correct answers here. D cause you do not need to submit any request for pen tests against EC2. https://aws.amazon.com/security/penetration-testing

BD are the correct answers here. D cause you do not need to submit any request for pen tests against EC2. https://aws.amazon.com/security/penetration-testing

Given answers are correct: You must require to complete Penetration Testing request to perform any pen test on EC2 instances or VPCs. Only for AWS authorized partner - pentest permission is not required. Also, as per ChatGPT Edge-to-Edge Routing: VPC peering enables communication between VPCs as if they are on the same network. This includes edge-to-edge routing, allowing traffic to flow directly between the peered VPCs.

Since VPC A is connected to B and C as a peer, you can perform the penetration test by connecting to the VPN on your premises, and you must complete the penetration test form. I think it's C and E.

Think: A - Incorrect because cross peering is not supported B - CORRECT - because it is technical possible (there are a clue here) C - Incorrect - Due to the same reason of A. D - CORRECT - Because it's technical possible (It connects with clue from B) E - Incorrect - Despite the fact of it's technical possible, it doesn't connect with B. Why? Once we don't have to complete the request form (as maentioned on B), we can assume that pen test doesn't include command&control comands. So, between D and E, we can securely choose D based on B. That is it for me!

AWS does allow penetration testing of its services, but it requires users to request permission via a penetration testing form before conducting such tests to ensure the safety and integrity of its services. For penetration testing, AWS customers can deploy pre-authorized scanning engines from AWS Marketplace, but these should be deployed into each VPC because VPC peering connections are not transitive. Option B suggests using a scanning engine from the AWS Marketplace in each VPC, allowing for targeted scanning within each environment. This approach would not require the completion of a penetration testing request form, as these Marketplace solutions are pre-approved for such use. Option E suggests setting up a VPN connection from the on-premises data center to each VPC, which would then use an on-premises scanning engine to carry out the penetration testing. This approach requires the completion of the penetration testing request form because it involves an external, potentially non-approved, scanning engine.

If A mentioned VPC A instead of VPC B, could it be a correct answer? In other words, could VPC A, being able to reach out to VPC B and VPC C, be able to complete the scanning process? I think that would be useful to know in day-to-day experience with AWS.

You don't need to submit pen test request form for EC2s anymore. - https://aws.amazon.com/security/penetration-testing/ And you can't use transitive peering. Therefore B&D.

Customer Service Policy for Penetration Testing Permitted Services Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers Amazon RDS Amazon CloudFront Amazon Aurora Amazon API Gateways AWS Fargate AWS Lambda and Lambda Edge functions Amazon Lightsail resources Amazon Elastic Beanstalk environments Prohibited Activities DNS zone walking via Amazon Route 53 Hosted Zones Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy) Port flooding Protocol flooding Request flooding (login request flooding, API request flooding)

AWS Permitted Services for security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed as “Permitted Services.” Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers https://aws.amazon.com/security/penetration-testing/ No transitive peering supported via VPC peering

B and D in my option.

ARE CORRECT, NO NEED FOR REQUEST

B and D: as you don't need to submit a pen-test request for EC2 instances!

For EC2 Pen test you don't need a request to be placed. Again VPC peering doesn't support edge routing and transitive peering. This left B & D as correct options

Ans: BD 100%