How can edge security be enhanced to safeguard the Amazon EC2 instances against attack?
(Choose two.)
Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.
Move the web servers to private subnets without public IP addresses.
Configure AWS WAF to provide DDoS attack protection for the ALB.
Require all inbound network traffic to route through a bastion host in the private subnet.
Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.
Explanations:
NAT gateways are primarily used for outbound internet access for instances in private subnets, not for inbound traffic. Configuring NAT gateways does not enhance the edge security of EC2 instances against attacks; it actually limits their direct exposure to the internet.
Moving the web servers to private subnets would eliminate their public IP addresses, significantly reducing their exposure to the internet and potential attacks. This configuration enhances security by ensuring that the web servers are only accessible through the Application Load Balancer (ALB), which can be more tightly controlled.
Configuring AWS WAF (Web Application Firewall) provides an additional layer of security by filtering and monitoring HTTP requests to the ALB. It helps protect against DDoS attacks and common web exploits, enhancing overall edge security for the application.
Requiring all inbound traffic to route through a bastion host can limit direct access to the EC2 instances, but it does not enhance edge security significantly for the application. A bastion host is typically used for administrative access rather than for regular application traffic, and it can create a single point of failure.
Routing all inbound and outbound traffic through an AWS Direct Connect connection is not a practical solution for enhancing edge security. Direct Connect is primarily used for establishing dedicated network connections from on-premises to AWS, and it does not provide specific protection against attacks on EC2 instances.