Learn how to use AWS Nitro Enclaves with Amazon EC2 instances to securely process sensitive data like credit card numbers through tokenization. Discover why this approach provides the highest level of isolation and protection.
Table of Contents
Question
A security engineer is designing a cloud architecture to support an application. The application runs on Amazon EC2 instances and processes sensitive information, including credit card numbers.
The application will send the credit card numbers to a component that is running in an isolated environment. The component will encrypt, store, and decrypt the numbers. The component then will issue tokens to replace the numbers in other parts of the application.
The component of the application that manages the tokenization process will be deployed on a separate set of EC2 instances. Other components of the application must not be able to store or access the credit card numbers.
Which solution will meet these requirements?
A. Use EC2 Dedicated Instances for the tokenization component of the application.
B. Place the EC2 instances that manage the tokenization process into a partition placement group.
C. Create a separate VPDeploy new EC2 instances into the separate VPC to support the data tokenization.
D. Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.
Answer
The correct solution is to deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances (Option D).
Explanation
AWS Nitro Enclaves provide an isolated compute environment that enables you to further protect and securely process highly sensitive data such as credit card numbers. Nitro Enclaves run on the same EC2 instance as the application but within a hardened, isolated virtual machine, separate from the host operating system.
By deploying the tokenization component of the application inside Nitro Enclaves, you ensure that:
- The sensitive data (credit card numbers) is processed in a secure, isolated environment.
- Other components of the application running on the EC2 instances cannot access or store the credit card numbers directly.
- The tokenization process is performed within the Nitro Enclave, replacing the sensitive data with tokens before it leaves the enclave.
This approach offers a higher level of security compared to using dedicated instances, placement groups, or separate VPCs, as it provides hardware-level isolation and minimizes the attack surface. Nitro Enclaves seamlessly integrate with EC2 instances, making them an ideal choice for securely processing sensitive data in cloud architectures.
Amazon AWS Certified Security – Specialty SCS-C02 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty SCS-C02 exam and earn Amazon AWS Certified Security – Specialty SCS-C02 certification.