Crucial Exams

AWS Certified Solutions Architect Professional SAP-C02 Practice Question

A financial-services company is reviewing the security of a multi-tier application hosted on AWS. The architecture consists of an Application Load Balancer (ALB) distributing traffic to an Auto Scaling group of EC2 instances in private subnets. These instances process sensitive data, retrieve database credentials from AWS Secrets Manager, and read/write reports to a specific Amazon S3 bucket. All outbound traffic from the EC2 instances, including calls to AWS services, is routed through a NAT Gateway.

A security audit has highlighted the following findings:

  • The IAM role attached to the EC2 instances has an overly permissive policy granting s3:* actions on arn:aws:s3:::*.
  • The security group for the EC2 instances allows all outbound traffic to 0.0.0.0/0.
  • All communication from the EC2 instances to AWS services such as S3 and Secrets Manager is sent through the NAT Gateway to the services' public endpoints.

A solutions architect must propose a strategy to implement defense-in-depth and remediate these findings. Which set of recommendations provides the most comprehensive security improvements across multiple layers?

  • Migrate the secrets from Secrets Manager to AWS Systems Manager Parameter Store for centralized configuration. Configure the security group outbound rules to allow traffic only to the public IP address ranges for S3 and Secrets Manager.

  • Create a VPC gateway endpoint for S3 and a VPC interface endpoint for Secrets Manager. Update the EC2 instance IAM role to allow only s3:GetObject and s3:PutObject on the specific S3 bucket. Modify the EC2 security group to restrict outbound traffic to the VPC endpoints.

  • Configure Amazon EventBridge rules to trigger AWS Lambda functions for automated remediation of GuardDuty findings. Implement AWS Config rules to detect and alert on overly permissive IAM policies and security group rules.

  • Implement AWS WAF on the ALB and enable AWS Shield Advanced. Use AWS Network Firewall to create strict outbound filtering rules for all traffic leaving the VPC.

AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot