SCS-C02 · Question #414
SCS-C02 Question #414: Real Exam Question with Answer & Explanation
The correct answer is D: Deploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.. AWS Nitro Enclaves provide a truly isolated compute environment within an EC2 instance - they have no persistent storage, no interactive access, and no external networking, making them ideal for processing sensitive data like credit card numbers that must never be accessible to o
Question
A security engineer is designing a cloud architecture to support an application. The application runs on Amazon EC2 instances and processes sensitive information, including credit card numbers. The application will send the credit card numbers to a component that is running in an isolated environment. The component will encrypt, store, and decrypt the numbers. The component then will issue tokens to replace the numbers in other parts of the application. The component of the application that manages the tokenization process will be deployed on a separate set of EC2 instances. Other components of the application must not be able to store or access the credit card numbers. Which solution will meet these requirements?
Options
- AUse EC2 Dedicated Instances for the tokenization component of the application.
- BPlace the EC2 instances that manage the tokenization process into a partition placement group.
- CCreate a separate VPC. Deploy new EC2 instances into the separate VPC to support the data
- DDeploy the tokenization code onto AWS Nitro Enclaves that are hosted on EC2 instances.
Explanation
AWS Nitro Enclaves provide a truly isolated compute environment within an EC2 instance - they have no persistent storage, no interactive access, and no external networking, making them ideal for processing sensitive data like credit card numbers that must never be accessible to other application components.
Why the distractors fail:
- A (Dedicated Instances) isolates your workload from other AWS customers at the hardware level, but does nothing to prevent other components of your own application from accessing the data.
- B (Partition placement groups) controls physical placement of EC2 instances to reduce correlated hardware failures - it's a resilience feature, not a security isolation feature.
- C (Separate VPC) improves network isolation but still allows EC2 instances to store data in memory or on disk; a determined or misconfigured component could still potentially access credit card numbers depending on how inter-VPC connectivity is set up.
Memory tip: Think of Nitro Enclaves as a "sealed vault inside your EC2 instance" - the parent instance itself can't peek inside. Whenever an exam question mentions processing sensitive data (PCI, secrets, keys) in a component that must be cryptographically isolated from the rest of the application, Nitro Enclaves is the answer.
Topics
Community Discussion
No community discussion yet for this question.