You are running a web-application on AWS consisting of the following components an Elastic
Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and
Relational DataBase Service (RDS) MySQL.
Which security measures fall into AWS’s responsibility?
A.
Protect the EC2 instances against unsolicited access by enforcing the principle of leastprivilege access
B.
Protect against IP spoofing or packet sniffing
C.
Assure all communication between EC2 instances and ELB is encrypted
D.
Install latest security patches on ELB. RDS and EC2 instances
Answer is B
B
B
b
No sure that B is right. See:
http://www.utdallas.edu/~muratk/courses/cloud11f_files/AWS_Security_Whitepaper.pdf
IP Spoofing
Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
Looks like they prevent this internally. Also they prevent packet sniffing as mentioned in the same article
Packet sniffing by other tenants
It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same
customer located on the same physical host cannot listen to each other’s traffic. Attacks such as ARP cache poisoning do not work within Amazon EC2 and Amazon VPC. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic.
A makes sense because C is really unnecessary. We often terminate SSL at the ELB.
Answer is B to pass certification
Ans: B