AWS Certified Security – Specialty — Question 50

Some highly sensitive analytics workloads are to be moved to Amazon EC2 hosts. Threat modeling has found that a risk exists where a subnet could be maliciously or accidentally exposed to the internet.
Which of the following mitigations should be recommended?

Answer options

• A. Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
• B. Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
• C. Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
• D. Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.

Correct answer: A

Explanation

The correct answer is A because using AWS Config to monitor for the addition of an Internet Gateway allows for immediate action via AWS Lambda, ensuring that any accidental exposure is quickly remediated. Option B does not fully address potential accidental configurations, while C is incorrect because IPv6 alone does not guarantee isolation from internet access. Option D is misleading as moving to a Dedicated Host does not provide specific mitigation against subnet exposure.