AWS Solutions Architect Associate Practice Test

What setup provides the highest level of security for a group of EC2 instances needing to connect to external resources?

• A. Instances in a public subnet with EIPs
• B. Instances in a private subnet with no EIPs
• C. Instances in a public subnet with NAT
• D. Instances in a private subnet with IGW

The correct answer is: Instances in a private subnet with no EIPs

The scenario describes a group of EC2 instances that require a high level of security while needing to connect to external resources. The best setup for this purpose is having instances in a private subnet with no Elastic IPs (EIPs). Instances in a private subnet are not directly exposed to the internet, which significantly reduces their attack surface. By not having public IP addresses or EIPs, these instances are shielded from direct access by external entities, thus enhancing the security profile. Any necessary outbound communications to external resources can be accomplished through a NAT gateway or NAT instance, which acts as an intermediary, allowing controlled access while keeping the instances private. This configuration also permits better isolation for sensitive workloads and ensures that the instances can interact with external domains without exposing them directly to potential threats. Hence, the combination of being in a private subnet without EIPs provides a strong security posture, thereby making it the most suitable option for the stated requirements. In contrast, instances in a public subnet with EIPs can be directly accessed from the internet, which elevates security risks. Instances in a public subnet with NAT face similar challenges, as while NAT allows them to communicate externally, their public nature still exposes them to greater potential vulnerabilities. Lastly, placing instances in a private subnet with