AWS Certified Security – Specialty — Question 5

Which of the following minimizes the potential attack surface for applications?

Answer options

• A. Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
• B. Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
• C. Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
• D. Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.

Correct answer: A

Explanation

The correct answer, A, is effective because security groups act as stateful firewalls, providing granular control over inbound and outbound traffic at the instance level, thus minimizing the attack surface. Option B, while it provides security at the VPC level, does not offer the same instance-level granularity. Option C focuses on secure connections rather than minimizing the attack surface, and Option D suggests a single-layer approach, which can create vulnerabilities by concentrating security in one area.