An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load
Balancer (ALB); application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)
Enhancing edge security entails both protecting the application from direct attacks and efficiently managing traffic routes. Moving web servers to private subnets without public IP addresses increases security by only allowing access through the Application Load Balancer, thus reducing exposure to direct attacks. Configuring AWS WAF provides an additional layer of security by protecting against web-layer attacks, including DDoS and malicious bots, which helps secure the ALB and, consequently, the EC2 instances.
Agreed. Correct is B and C A is incorrect. Nat gateways is for outbound only trafffc D is incorrect. Bastion host is mostly for incoming SSH/FTP connections and it must be placed on a public subnet E is incorrect. AWS Direct connect is used to connect your on-premisse datacenter to AWS
if we move web servers to private subnets without public IP, it mean they won't be able to serve as public web servers, am I correct?
Load Balancer will have public IP.
But application and Web Servers need to be isolated into different layers, Moving the web servers to private subnet will increase the blast radius if web servers are hacked. So this answer is not fully right
The question does not specify that the private subnet have to be unique. Agree with you that it may be more complete answer. But they are "more secure" options than the initial state.
B and C
B & C are correct, but the C answer with "C. Configure AWS WAF to provide DDoS attack protection" is really not correct with DDoS attack protection, it must be AWS Shield.
No actually, C is correct too. If you check WAF's FAQ - "Can I use Rate-based rule to mitigate Web layer DDoS attacks?" It does say "Yes. This new rules type is designed to protect you from use cases such web-layer DDoS attacks, brute force login attempts and bad bots." Reference: https://aws.amazon.com/waf/faqs/
All answer looks good. But since question emphasizes on "edge location" enhanced security, BC it is.
Ans > B,C
Should be B & C
B and C
I don't understand why everyone is saying B? If it is B, then surely your users can't access the instances, so instead it should be A and C, right?
Ans > B&C... the ALB can be configured to access web server in private subnet
it dont matter if the web servers are in private subnets...the ALB facing the internet will receive requests...BC make a better choice
B and C
Ans:BC 100%
B and C is my answer
B and C make sense to me.
B and C
B and C.
B and C is correct
B and C
C might be correct but is a tricky one. When it comes to DDoS mitigation, the recommended solution is AWS Shield, but other services can also mitigate DDoS, such as AWS WAF.