ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A fintech startup is about to launch production EC2 instances that will store and process card-holder data. Corporate security policy requires a host-based intrusion-prevention (HIPS) agent on each instance, but the licensing purchase will not be completed for another month. Which temporary measure is the most appropriate compensating control to reduce the same risk during the interim period?
Enable AWS CloudTrail data events for the EBS volumes attached to the instances.
Deploy AWS Network Firewall with managed intrusion-prevention rule groups to inspect and block traffic to and from the EC2 subnet.
Force all instances to use Instance Metadata Service v2 and disable IMDSv1.
Move the instances into a private subnet that lacks an Internet gateway.
A compensating control must offer protection that is comparable in intent and strength to the missing primary control. While host-based IPS analyzes traffic on the instance itself, deploying an inline, stateful network security service that applies intrusion-prevention rules to all traffic entering and leaving the subnet provides similar detection and blocking capability. AWS Network Firewall can inspect traffic against managed rule groups and block known exploits, thereby mitigating many of the threats the HIPS would address. The other options either reduce the attack surface or improve logging but do not actively detect and block malicious traffic, so they do not provide equivalent protection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Network Firewall, and how does it mitigate threats?
Open an interactive chat with Bash
How do intrusion-prevention systems (IPS) differ from intrusion-detection systems (IDS)?
Open an interactive chat with Bash
What is a compensating control, and how is it used in security policy?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .