Exam CS0-002 topic 1 question 297 discussion

Surely a cloud infrastructure needs internet access though? What good is it without it?

The BEST approach to protect the environment in this scenario would be to block internet access in the development VPC. This would prevent the developers from browsing the internet on the development servers and limit the attack surface on these servers. By using a security rule to block internet access, the security analyst can ensure that only the necessary traffic is allowed into the development VPC. Additionally, this approach would not impact the developers' ability to access the necessary resources and tools they need to perform their work. Placing a jumpbox or removing the administrator's profile from the developer user group in identity and access management may be useful in other contexts, but they are not the most appropriate solutions to address the security risks associated with browsing the internet on development servers. Creating an alert that is triggered when a developer installs an application on a server is also useful but does not directly address the issue of developers browsing the internet on the servers.

If developers are not allowed to install things, they will not do. I see quite obvious that answer is C. A. Not really know if developers are web developers. Let me know how to develop a web app without internet access. B. Jumphost does not solve the issue. I use a jumphost where I am not admin to access to servers where I am admin and can do whatever. D. Ok, SOC has the alert. Is it not 1000 times much better to avoid the alert itself?

For those who think it can't be A because you need an internet connection, you can allow the internet connection for connecting to the VPC but block outbound internet connection within the VPC. This is what A is implying. https://docs.aws.amazon.com/prescriptive-guidance/latest/secure-outbound-network-traffic/restricting-outbound-traffic.html

This was on the test

My answer was originally A but changing to D, surely the development team needs internet access to their VPC to do their duties. D so SOC is aware of any new installations & if triggered, can see what is downloaded. Selecting A would be like a dos attack.

If the user cannot install browser then he will not able to browse. Installation word is the key.

Since the developers are browsing the internet from the development servers, it increases the risk of malware infections or other types of attacks on the servers. Blocking internet access in the development VPC can help to reduce this risk.

Leaning towards A. We can toss C and D, those to nothing to "BEST protect" the environment. B - would not necessarily protect as well since they may still be able to install a browser and hit the internet. A is the only one that looks like it would stop the browsing. Especially if the Dev VPC is a separate VPC. This would allow any other VPC to be able to connect outbound and browse.

D is the only viable option here. Since we're dealing with a cloud environment, Internet access is definitely required. And jumpboxes is primarily for access control, which will not solve the issue mentioned in the question.

A - if you don't want them browsing the internet, then block it. A jumpbox does nothing to prevent them from browing the internet from the servers.

Going to change my answer to B. gnng x3 is still a bot tho

A is correct. Also thinking gnng x3 is a bot

Option B, "Place a jumpbox in between the developers' workstations and the development VPC", is the best option to protect the environment because it provides an additional layer of security. A jumpbox, also known as a bastion host, is a secure, isolated machine that is used to access other systems in a secure manner. By using a jumpbox, the security analyst can ensure that only authorized users have access to the development servers, and all incoming connections are monitored and logged. This reduces the risk of an attacker being able to gain access to the development VPC directly and potentially exploiting vulnerabilities in the browsers installed on the development servers.