Which of the following minimizes the potential attack surface for applications?
Use security groups to provide stateful firewalls for Amazon EC2 instances at the hypervisor level.
Use network ACLs to provide stateful firewalls at the VPC level to prevent access to any specific AWS resource.
Use AWS Direct Connect for secure trusted connections between EC2 instances within private subnets.
Design network security in a single layer within the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) to facilitate quicker responses to threats.
Explanations:
Using security groups provides stateful firewalls that control inbound and outbound traffic at the instance level. This minimizes the attack surface by allowing only necessary traffic and services, effectively reducing exposure to potential threats.
Network ACLs operate at the subnet level and can provide stateless filtering. While they can restrict access to resources, they are less effective at minimizing the attack surface compared to security groups, which provide more granular control.
AWS Direct Connect is used to establish a dedicated network connection from an on-premises data center to AWS. While it enhances security by avoiding the public internet, it does not specifically minimize the attack surface for applications within VPCs.
Designing network security in a single layer within a DMZ does not adequately minimize the attack surface. A layered security approach (defense in depth) is more effective, as it provides multiple barriers against threats rather than relying on a single perimeter.