CompTIA CASP+ (CAS-004) — Question 567

A security analyst at a global financial firm was reviewing the design of a cloud-based system to identify opportunities to improve the security of the architecture. The system was recently involved in a data breach after a vulnerability was exploited within a virtual machine's operating system. The analyst observed the VPC in which the system was located was not peered with the security VPC that contained the centralized vulnerability scanner due to the cloud provider's limitations. Which of the following is the BEST course of action to help prevent this situation in the near future?

Answer options

• A. Establish cross-account trusts to connect all VPCs via API for secure configuration scanning.
• B. Migrate the system to another larger, top-tier cloud provider and leverage the additional VPC peering flexibility.
• C. Implement a centralized network gateway to bridge network traffic between all VPCs.
• D. Enable VPC traffic mirroring for all VPCs and aggregate the data for threat detection.

Correct answer: A

Explanation

Establishing cross-account trusts allows for secure configuration scanning across all VPCs, directly addressing the issue of the centralized vulnerability scanner not being accessible. The other options, while they may improve security in different ways, do not specifically resolve the connectivity and scanning limitation posed by the cloud provider's restrictions.