Exam CAS-004 All QuestionsBrowse all questions from this exam
Go to Exam
Question 346

A security analyst at a global financial firm was reviewing the design of a cloud-based system to identify opportunities to improve the security of the architecture. The system was recently involved in a data breach after a vulnerability was exploited within a virtual machine's operating system. The analyst observed the VPC in which the system was located was not peered with the security VPC that contained the centralized vulnerability scanner due to the cloud provider's limitations. Which of the following is the BEST course of action to help prevent this situation in the near future?

    Correct Answer: C

    By implementing a centralized network gateway to bridge network traffic between all VPCs, you create a central point where traffic from multiple VPCs can be routed and monitored. This allows for secure communication between VPCs and enables centralized vulnerability scanning by providing a network-level solution that supports inter-VPC communication. This approach enhances security and visibility by allowing monitoring and threat detection across all VPCs, making it the best course of action to prevent similar situations in the future.

Discussion
weaponxcelOption: C

C. Implement a centralized network gateway to bridge network traffic between all VPCs. The question ask for the BEST course of action to help PREVENT this situation in the near future. Between the two options A and C, option C ("Implement a centralized network gateway") provides a network-level solution that directly enables inter-VPC communication, allowing the centralized vulnerability scanner to scan systems in the other VPC. This would likely provide a more comprehensive scanning capability than just configuration scanning via API.

Ariel235788Option: C

C. Implement a centralized network gateway to bridge network traffic between all VPCs. Explanation: Centralized Network Gateway: By implementing a centralized network gateway or hub (sometimes referred to as a "transit VPC"), you create a central point where traffic from multiple VPCs can be routed and monitored. This allows you to control and inspect traffic flowing between VPCs. Secure Traffic Routing: The centralized network gateway provides a secure way to route traffic between VPCs, even if direct VPC peering is not supported or limited by the cloud provider. It acts as an intermediary, ensuring that traffic flows through a controlled path. Security and Visibility: With traffic passing through the centralized gateway, you can implement security controls and monitoring, including vulnerability scanning, intrusion detection, and threat detection, to identify and respond to threats across the VPCs. Scalability: This approach is scalable and allows you to add additional VPCs in the future while maintaining centralized control and security.

CXSSPOption: A

A. Establish cross-account trusts to connect all VPCs via API for secure configuration scanning. This option focuses on setting up cross-account trusts, which would allow secure communication between VPCs for the purpose of configuration scanning. By doing this, the centralized vulnerability scanner in the security VPC can communicate with the VPC containing the system to perform secure scanning for vulnerabilities. This would help in preventing future breaches caused by unpatched vulnerabilities.

e020fdcOption: A

The cause of the issue was that the VPC was not peered with the scanner and so did not have the proper configurations. B is a bogus answer. C and D address issues with monitoring traffic to detect issues after they occurred. But we should have proper configuration in the first place. Sticking with A

AnarckiiOption: D

If we bridge the network and centralize it, we create a single point of failure. This wouldn’t make sense since we are trying to address a centralized vulnerability. Answer is D

wizwizOption: D

Answer is D: Reference: https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html

23169fdOption: A

Cross-account trusts allow different accounts and their respective VPCs to interact securely through APIs. This solution bypasses the VPC peering limitations by using API connections, which can be securely authenticated and authorized through cross-account roles and policies. It enables centralized vulnerability scanning and configuration management without needing direct network connectivity, enhancing security and ensuring continuous monitoring and complianc

e4af987Option: A

Gemini's argument: In the scenario with the limitations on VPC peering with the security VPC, A. Establish cross-account trusts to connect all VPCs via API for secure configuration scanning is the least bad option out of the provided choices.

Trap_D0_rOption: A

A will allow you to immediately assess your security posture of all hosts and patch. Why not D? Traffic mirroring won't help prevent any more exfiltration or assess your security posture, it'll just give you more logs to sift through. Why not C? You're adding complexity to the system and possibly creating more vulnerability points (The word BRIDGE should scare you off right away). Also, rearranging the network won't be a fast or easy solution. Why not B? Because it's preposterous.

OdinAtlasSteelOption: D

While establishing cross-account trusts (option A) or implementing a centralized network gateway (option C) might help in certain scenarios, enabling VPC traffic mirroring offers a more targeted and efficient solution for monitoring network traffic and detecting vulnerabilities or threats across multiple VPCs in this context. Therefore, enabling VPC traffic mirroring for all VPCs and aggregating the data for threat detection (option D) is the most effective approach to help prevent similar vulnerabilities or breaches in the near future within the cloud-based system.

32d799aOption: A

Option A seems to be the most direct solution to the problem, enabling centralized vulnerability scanning without a need for physical or virtual network changes.