ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization has deployed a three-tier application (web, application, database) in separate subnets inside the same public-cloud virtual network. A new policy now requires that all traffic flowing between those subnets be encrypted while in transit, but the development team cannot modify or recompile the application code. Which infrastructure-level security control will best meet this requirement with the least impact on the workloads themselves?
Terminate TLS sessions on an internet-facing load balancer in front of the web tier.
Enable server-side encryption with customer-managed keys (CMKs) on the block storage volumes used by each tier.
Create IPsec VPN tunnel-mode connections between the subnets by configuring the cloud provider's virtual routers or gateways.
Apply restrictive stateful security group rules to permit only required TCP and UDP ports between the subnets.
Because the workloads cannot be modified, the encryption mechanism must be transparent to the operating systems and applications. Establishing an IPsec VPN in tunnel mode between the virtual routers (or gateways) that interconnect the subnets creates an overlay tunnel; every packet that leaves one subnet is automatically encrypted and then decrypted on entry to the destination subnet, satisfying the mandate for encryption in transit without touching the instances.
Security group rules are stateful fire-wall filters; they restrict which packets are allowed but do not provide cryptographic protection. Terminating TLS on an internet-facing load balancer only protects traffic between external clients and the web tier; packets between internal subnets remain in clear text. Enabling server-side encryption on block storage protects data at rest, not data moving across the network. Therefore, the IPsec tunnel between subnets is the correct choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IPsec VPN tunnel mode and how does it encrypt data in transit?
Open an interactive chat with Bash
How do virtual routers or gateways facilitate IPsec VPN tunnels in public cloud networks?
Open an interactive chat with Bash
Why can’t security group rules or server-side encryption meet this requirement?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .