What steps should the Security Engineer take to check for known vulnerabilities and limit the attack surface?
(Choose two.)
Use AWS Certificate Manager to encrypt all traffic between the client and application servers.
Review the application security groups to ensure that only the necessary ports are open.
Use Elastic Load Balancing to offload Secure Sockets Layer encryption.
Use Amazon Inspector to periodically scan the backend instances.
Use AWS Key Management Services to encrypt all the traffic between the client and application servers.
Explanations:
Reviewing and limiting open ports via security groups reduces the attack surface and limits access to only necessary services, making it harder for attackers to exploit the system.
Amazon Inspector is a security assessment service that can automatically identify vulnerabilities and misconfigurations in EC2 instances. Running periodic scans helps identify known vulnerabilities and mitigate risks.
AWS Certificate Manager is used to manage SSL/TLS certificates for securing HTTPS traffic but does not directly address the security of EC2 instances or vulnerabilities in the backend application.
Elastic Load Balancing offloads SSL/TLS encryption, which helps improve performance, but it does not help directly address known vulnerabilities or reduce the attack surface on the backend EC2 instances.
AWS Key Management Services (KMS) is used for managing encryption keys, but it doesn’t directly encrypt traffic between clients and application servers. Encryption should be done using SSL/TLS, not KMS.
As far as I’m aware, the answer is:
Review the application security groups to ensure that only the necessary ports are open.