ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A fintech startup runs its Java microservices in an Auto Scaling group of Amazon EC2 instances across two Availability Zones. The CISO has read about cache-based side-channel techniques that might let a malicious tenant on the same physical server access secrets from the company's virtual machines. Which action best mitigates the risk of this type of inter-VM attack without redesigning the VPC networking or changing application code?
Restrict each instance's security group to accept traffic only from the Application Load Balancer and required AWS service endpoints.
Provision the Auto Scaling group to use EC2 Dedicated Hosts so that only your company's instances run on each physical server.
Enable VPC Flow Logs and Amazon GuardDuty to detect anomalous east-west traffic between instances.
Place all instances in a spread placement group to force distribution across different racks and minimize correlated failures.
Cache-based side-channel and other inter-VM attacks rely on two customers' instances sharing the same underlying hypervisor and physical CPU caches. Launching the application on EC2 Dedicated Hosts (or at minimum Dedicated Instances) gives the company sole tenancy of the hardware, so no other customer's VM can execute on that host and mount cross-VM attacks. Placement groups, security groups, or GuardDuty/VPC Flow Logs improve performance or detection, but they do not eliminate co-tenancy on the hypervisor and therefore do not remove the attack surface. They may reduce network-layer threats but have no effect on processor-side channels.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are EC2 Dedicated Hosts, and how do they mitigate inter-VM attacks?
Open an interactive chat with Bash
What are cache-based side-channel attacks, and how do they work?
Open an interactive chat with Bash
Why don't solutions like spread placement groups or VPC Flow Logs prevent inter-VM attacks?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .