ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company hosts development and production microservices on Amazon EC2 in the same /16 VPC subnet that shares security groups, letting developers reach production databases. You need strong logical isolation between the environments while still allowing limited CI/CD ports from development into production, with minimal cost and administration. Which approach best meets these requirements?
Keep all instances in the current subnet but assign distinct security groups to dev and prod and deny all inter-group traffic except the CI/CD ports.
Keep both environments in the same subnet but deploy AWS Network Firewall between them to filter all traffic except the CI/CD ports.
Move development instances to a new subnet within the existing VPC and attach a dedicated network ACL that blocks all traffic except the CI/CD ports.
Create separate VPCs for development and production, connect them with a VPC peering connection, and use route tables and security groups to allow only the required CI/CD ports.
Creating separate VPCs for development and production gives each environment an independent, non-overlapping IP space and its own routing and security boundaries, delivering the strongest form of logical segmentation at Layer 3. A VPC itself is free, and VPC peering has no hourly cost; you only pay for data that crosses the link. By attaching restrictive route-table entries and security-group rules to the peering connection, you can allow just the necessary CI/CD ports while denying all other traffic.
Placing dev and prod in different subnets with distinct network ACLs still leaves them in the same VPC, so misconfigurations (for example, overly permissive route tables) could expose prod resources, and stateless ACLs require duplicate in/out rules, increasing operational effort. Simply changing security groups keeps everything in one subnet, providing the weakest separation and a larger blast radius. Deploying AWS Network Firewall would achieve segmentation but adds additional service cost and management overhead that the scenario seeks to avoid.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPC and why is it important in this scenario?
Open an interactive chat with Bash
Why are security groups and network ACLs not sufficient to isolate environments?
Open an interactive chat with Bash
What is Layer 3 segmentation and why is it preferred for network isolation?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .