AWS Certified Cloud Practitioner — Question 875

A company has multiple applications and is now building a new multi-tier application. The company will host the new application on Amazon EC2 instances. The company wants the network routing and traffic between the various applications to follow the security principle of least privilege.
Which AWS service or feature should the company use to enforce this principle?

Answer options

• A. Security groups
• B. AWS Shield
• C. AWS Global Accelerator
• D. AWS Direct Connect gateway

Correct answer: A

Explanation

Security groups act as stateful virtual firewalls for Amazon EC2 instances, allowing administrators to control inbound and outbound traffic down to the instance level to enforce least privilege. In contrast, AWS Shield is designed for DDoS protection, AWS Global Accelerator optimizes global network routing for performance, and AWS Direct Connect gateway links on-premises networks to AWS VPCs, making none of them suitable for fine-grained inter-application traffic control.