You want to design an AWS system that protects sensitive data even if an attacker compromises an EC2 instance. Which combination best applies defense in depth?

hard📝 Application Q8 of 15

AWS - Advanced Security

AAllow all traffic to EC2, disable encryption, and use default IAM roles

BRely solely on CloudWatch alarms to detect attacks

CUse only Security Groups without encryption or IAM restrictions

DUse IAM roles with least privilege, encrypt data with KMS, and isolate EC2 in private subnets

Step-by-Step Solution

Solution:

Step 1: Identify layers that protect data if EC2 is compromised
Least privilege limits access, encryption protects data, subnet isolation limits exposure.
Step 2: Evaluate options for defense in depth
Only Use IAM roles with least privilege, encrypt data with KMS, and isolate EC2 in private subnets combines multiple effective layers.
Final Answer:
Use IAM roles with least privilege, encrypt data with KMS, and isolate EC2 in private subnets -> Option D
Quick Check:
Defense in depth = Multiple strong layers [OK]

Quick Trick: Combine least privilege, encryption, isolation [OK]

Common Mistakes:

Allowing all traffic
Disabling encryption
Relying only on alarms

Master "Advanced Security" in AWS

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More AWS Quizzes

You want to design an AWS system that protects sensitive data even if an attacker compromises an EC2 instance. Which combination best applies defense in depth?

Step 1: Identify layers that protect data if EC2 is compromised

Step 2: Evaluate options for defense in depth

Final Answer:

Quick Check:

Want More Practice?