AWS Certified Security – Specialty — Question 262

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.
The only require connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communicators with the external payment provider are not interrupted as the environment scales.
Which combination of actions should the security engineer recommend to meet these requirements? (Choose three.)

Answer options

• A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
• B. Place the DB instance in a public subnet.
• C. Place the DB instance in a private subnet.
• D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
• E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
• F. Deploy the ALB in a private subnet.

Correct answer: A, C, E

Explanation

The correct actions include deploying a NAT gateway in each private subnet to allow outbound internet access for the EC2 instances, placing the DB instance in a private subnet to enhance security, and configuring the EC2 instances to also reside in a private subnet for better protection. Options B and D are incorrect as they expose the DB instance and EC2 instances to the public internet, which contradicts the requirement for restricted connectivity.