AWS Certified Security – Specialty — Question 311

A security engineer is creating a new Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. The cluster will act as a data warehouse. A separate fleet of application servers will extract records from the data warehouse and will transform these records into reports that will be uploaded to Amazon S3 buckets.

The security engineer must securely configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster so that only the application servers can access it.

Which solution meets these requirements?

Answer options

• A. Configure network ACLs on the subnets that host the Amazon OpenSearch Service (Amazon Elasticsearch Service) instances to allow access from the application servers only.
• B. Configure a VPC peering connection between the VPC that contains the application servers and the VPC that contains the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster.
• C. Monitor the VPC flow logs for traffic that is destined for the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Use the flow logs to detect traffic that did not originate from the application servers.
• D. Configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster for VPC access only. Use a security group to allow access to the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster from the application servers only.

Correct answer: D

Explanation

Deploying the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster with VPC access ensures that its endpoint is not exposed to the public internet. Applying a security group to the cluster that references the security group of the application servers restricts inbound traffic to only those specific instances. Other options, such as using Network ACLs or relying reactively on VPC flow logs, do not provide the same targeted, stateful, and secure access control.