AWS Certified Security – Specialty — Question 70

The Security Engineer is managing a traditional three-tier web application that is running on Amazon EC2 instances. The application has become the target of increasing numbers of malicious attacks from the Internet.
What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface? (Choose two.)

Answer options

• A. Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
• B. Review the application security groups to ensure that only the necessary ports are open.
• C. Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
• D. Use Amazon Inspector to periodically scan the backend instances.
• E. Use AWS Key Management Services to encrypt all the traffic between the client and application servers.

Correct answer: B, D

Explanation

Option B is correct because reviewing and limiting open ports in the application's security groups directly reduces the attack surface. Option D is also correct as Amazon Inspector can identify vulnerabilities in the backend instances. Options A, C, and E, while related to security, do not directly address checking for vulnerabilities or minimizing the attack surface in the same way.