AWS Certified Security – Specialty (SCS-C02) — Question 94

The security engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the internet.

What steps should the security engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Answer options

• A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
• B. Review the application security groups to ensure that only the necessary ports are open.
• C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
• D. Use Amazon Inspector to periodically scan the backend instances.
• E. Use AWS Key Management Service (AWS KMS) to encrypt all the traffic between the client and application servers.

Correct answer: B, D

Explanation

The correct answers are B and D. Option B is essential as it ensures that only necessary ports are open, thereby limiting the attack surface. Option D is also correct because using Amazon Inspector helps identify vulnerabilities in the backend instances. Options A, C, and E focus on encryption and traffic management rather than directly addressing vulnerability assessment and attack surface reduction.