AWS Security Blog

Correct Answer: Implementing security groups to control inbound and outbound traffic at the instance level

Implementing security groups is the recommended best practice for securing Amazon EC2 instances. Security groups act as a virtual firewall, allowing you to control inbound and outbound traffic at the instance level. They provide a flexible and granular way to define rules based on protocols, ports, and IP address ranges. Network ACLs operate at the subnet level and are not sufficient for instance-level security. Assigning public IP addresses to all instances is not a security best practice, as it exposes them to the internet unnecessarily. Disabling the default firewall and relying on custom iptables rules is not recommended, as it requires manual configuration and maintenance, whereas security groups are managed through the AWS Management Console or API.

Correct Answer: Implementing multi-factor authentication (MFA) for SSH access to EC2 instances

Implementing multi-factor authentication (MFA) for SSH access to EC2 instances is the recommended best practice for securing SSH access. MFA adds an extra layer of security by requiring users to provide an additional form of authentication, such as a time-based one-time password (TOTP), in addition to their SSH key. This helps prevent unauthorized access even if the SSH key is compromised. Storing SSH keys in a publicly accessible S3 bucket, using a single SSH key pair for all instances across multiple accounts and regions, and enabling SSH access for all IP addresses are all insecure practices that can lead to unauthorized access and should be avoided.

Correct Answer: Implement a comprehensive security strategy that includes regular security assessments, encryption of data at rest and in transit, strict access controls based on least privilege, and continuous monitoring using AWS services like CloudTrail and GuardDuty.

The best approach for ensuring the highest level of security and compliance in an AWS environment handling sensitive financial data is to implement a comprehensive security strategy. This strategy should include regular security assessments to identify potential vulnerabilities, encryption of data both at rest and in transit to protect sensitive information, strict access controls based on the principle of least privilege to limit unauthorized access, and continuous monitoring using AWS services like CloudTrail for tracking user activities and GuardDuty for detecting suspicious behavior. The other options mentioned are not sufficient on their own - focusing only on perimeter security, delegating all security responsibilities to AWS, or conducting ad-hoc audits and fixes do not provide the holistic, multi-layered approach necessary for securing sensitive data in the cloud. A comprehensive strategy that leverages multiple AWS security services and best practices is essential for maintaining a robust security posture and meeting compliance requirements.