Which solution meets these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A security engineer is creating a new Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster.The cluster will act as a data warehouse.A separate fleet of application servers will extract records from the data warehouse and will transform these records into reports that will be uploaded to Amazon S3 buckets.The security engineer must securely configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster so that only the application servers can access it.

Which solution meets these requirements?

Configure network ACLs on the subnets that host the Amazon OpenSearch Service (Amazon Elasticsearch Service) instances to allow access from the application servers only.

Configure a VPC peering connection between the VPC that contains the application servers and the VPC that contains the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster.

Monitor the VPC flow logs for traffic that is destined for the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Use the flow logs to detect traffic that did not originate from the application servers.

Configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster for VPC access only. Use a security group to allow access to the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster from the application servers only.

Explanations:

Network ACLs operate at the subnet level, and while they can control inbound and outbound traffic, they are not suitable for restricting access based on application server IPs in a secure and manageable way. Security groups are a more appropriate tool.

A VPC peering connection is not needed if both the OpenSearch cluster and the application servers are within the same VPC or if a more direct method of securing access (like security groups or VPC endpoints) is available.

Monitoring VPC flow logs is a reactive measure and would only detect unauthorized traffic after the fact. It does not actively prevent unauthorized access or restrict it in real time.

Configuring the Amazon OpenSearch Service cluster for VPC access ensures that it is accessible only from within the specified VPC. Using security groups to control access from the application servers provides an effective, secure way to restrict access to only the required instances.

2025-10-15

1 Comment

  1. Jennifer
    Author

    It appears that the answer is:
    Configure the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster for VPC access only. Use a security group to allow access to the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster from the application servers only.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 − 3 =