AWS Certified Security – Specialty (SCS-C02) — Question 5

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.
The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.
Which combination of actions should the security engineer recommend to meet these requirements? (Choose three.)

Answer options

• A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
• B. Place the DB instance in a public subnet.
• C. Place the DB instance in a private subnet.
• D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
• E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
• F. Deploy the ALB in a private subnet.

Correct answer: A, C, E

Explanation

The correct actions are to deploy a NAT gateway in each private subnet, place the DB instance in a private subnet, and configure the EC2 instances in the Auto Scaling group to also be in a private subnet. This setup ensures that the application can maintain secure communication with the external payment provider while scaling naturally, as direct internet access is only allowed for HTTP and HTTPS traffic. Options B and D are incorrect because placing the DB instance or EC2 instances in a public subnet would expose them to the internet, which is not needed and could compromise security.