Q71 — AWS SCS-C02 Ch.1

Question 71 of 100 | ← Chapter 1

A security engineer is designing a cloud architecture to support an application. The application runs on Amazon EC2 instances and processes sensitive information, including credit card numbers. The application will send the credit card numbers to a component that is running in an isolated environment. The component will encrypt, store, and decrypt the numbers. The component then will issue tokens to replace the numbers in other parts of the application. The component of the application that manages the tokenization process will be deployed on a separate set of EC2 instances. Other components of the application must not be able to store or access the credit card numbers. Which solution will meet these requirements?

Correct Answer: D. Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.

Explanation

AWS Nitro Enclaves为EC2实例提供隔离的计算环境,确保敏感数据处理过程中的数据无法被主机或其他组件访问。其基于Nitro Hypervisor实现硬件级隔离,符合PCI DSS等合规要求。选项A的专用实例仅隔离硬件层,未阻止同一实例上的其他进程或网络访问;选项B的放置组关注物理布局,无关安全隔离;选项C的VPC隔离虽提供网络分段,但无法阻止实例级别权限配置错误导致的数据泄露。Nitro Enclaves通过加密内存、独立内核及强制通道通信彻底隔离数据处理过程,满足题目中其他组件无法存储或访问原始数据的要求。来自AWS安全白皮书及Nitro Enclaves文档。