Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

$4 OFF AWS Security Specialty Practice Exams

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Associate Confusing question

  • Confusing question

  • Privat33r

    Member
    August 18, 2024 at 9:50 pm

    Question:

    A web application is hosted on an EC2 instance that processes sensitive financial information which is launched in a private subnet. All of the data are stored in an Amazon S3 bucket. Financial information is accessed by users over the Internet. The security team of the company is concerned that the Internet connectivity to Amazon S3 is a security risk. In this scenario, what will you do to resolve this security vulnerability in the most cost-effective manner?

    “Financial information is accessed by users over the Internet.” how is it being accessed? If we give users e.g. presigned links to the S3 on the EC-2 hosted website based on their identity (not mentioned in the question’s condition), then if we limit connectivity to S3, we break potentially mission-critical function.

    EC2 instance is in a private subnet, so it can’t be accessed by the users. I chose correct answers because I understood that you want to contain EC2-S3 connection inside of the VPC, to remove external (internet) routing (also by using VPC Gateway we save costs on networking), but at the same time it feels like we are breaking some functionality.

  • Nikee-TutorialsDojo

    Administrator
    August 20, 2024 at 10:30 am

    Hi Privat33r,

    Thank you for your feedback and for raising the important point about how financial information is accessed in the scenario. The scenario does not explicitly mention using presigned URLs or other specific methods for accessing the S3 bucket. The intent of the question is to focus on securing the connection between the EC2 instance and the S3 bucket, ensuring that sensitive financial data is not exposed to the internet unnecessarily.

    In this setup, the EC2 instance is hosted in a private subnet and acts as an intermediary between users and the Amazon S3 bucket. The primary concern is to secure the communication between the EC2 instance and S3 without assuming any specific method, such as presigned URLs. Using a Gateway VPC Endpoint ensures that all traffic between the EC2 instance and S3 remains within the AWS network, mitigating the security risk associated with internet exposure. This approach is both cost-effective and aligns with the security team’s concerns.

    By implementing the Gateway VPC Endpoint, the scenario maintains secure internal communication without breaking potential functionality, even though the specific user access method (e.g., presigned URLs) is not detailed.

    We appreciate your feedback and will consider clarifying these aspects to avoid any confusion. Thank you for helping us improve the quality of our practice exams!

    Regards,

    Nikee @ Tutorials Dojo

  • Privat33r

    Member
    August 20, 2024 at 2:40 pm

    You say that

    In this setup, the EC2 instance is hosted in a private subnet and acts as an intermediary between users and the Amazon S3 bucket.

    but the question also states

    Financial information is accessed by users over the Internet

    You can’t access instances inside of the private subnet over the internet because there is no routing. That’s why it’s called private in the first place: no IGW.

    Even if we assume presence of NAT gateway, it still only allows external traffic and clients can not connect there, unless clients use reverse-proxy connection (that’s wild) with some way of notifying server about new connections. The scenario sounds fun, but it still needs to be clarified.

    Source for public/private subnets meanings: https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html

  • Nikee-TutorialsDojo

    Administrator
    August 22, 2024 at 9:38 am

    Hello Privat33r,

    Apology for the late response. Thank you for clarifying the important distinction between private and public subnets and the implications for Internet connectivity.

    You are correct that instances in a private subnet cannot be accessed directly over the Internet due to the lack of an Internet Gateway (IGW). The original scenario needed clarification, as it implied that users could somehow access the EC2 instance directly, which contradicts the nature of private subnets. To address this, the scenario should specify that users are accessing the financial information indirectly through the EC2 instance. This can be done, via pre-signed URLs generated by the application that allows secure access to the S3 bucket.

    Thank you once again for your valuable feedback. We will update this item, and the changes will be reflected as soon as possible. If you have further questions or need clarification, please do not hesitate to contact us.

    Regards,

    Nikee @ Tutorials Dojo

Viewing 1 - 4 of 4 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now