Which of the following mitigations should be recommended?
Use AWS Config to detect whether an Internet Gateway is added and use an AWS Lambda function to provide auto-remediation.
Within the Amazon VPC configuration, mark the VPC as private and disable Elastic IP addresses.
Use IPv6 addressing exclusively on the EC2 hosts, as this prevents the hosts from being accessed from the internet.
Move the workload to a Dedicated Host, as this provides additional network security controls and monitoring.
Explanations:
Using AWS Config to monitor for the addition of an Internet Gateway allows for proactive detection of potential exposure. Coupling this with an AWS Lambda function for auto-remediation ensures that any unauthorized changes are quickly addressed, thus minimizing the risk of accidental or malicious exposure to the internet.
Marking the VPC as private is not an option since the concept of marking a VPC as “private” does not exist in AWS. Disabling Elastic IPs does not prevent exposure through other means, such as route table misconfigurations or the use of NAT gateways. Thus, it does not provide a comprehensive solution to the risk identified.
Exclusive use of IPv6 does not inherently prevent internet access; it may allow access depending on the routing and security group configurations. Moreover, relying solely on IPv6 without proper security controls can still result in exposure to the internet, so this option does not adequately mitigate the risk.
Moving to a Dedicated Host primarily provides benefits related to resource isolation and compliance, but it does not inherently improve network security controls or prevent internet exposure. Proper network configurations and security practices are essential regardless of the underlying host type.