A mid-sized e-commerce company uses a multi-cloud environment with AWS and Azure. The vulnerability management team performs monthly authenticated scans using a commercial scanner. During the last scan, a critical remote code execution vulnerability (CVE-2023-XXXX) was identified on an EC2 instance running a legacy application. The application owner states that the instance cannot be patched immediately because the patch would break compatibility with a third-party API. The instance has direct internet access and handles PCI data. The CISO wants to reduce risk to an acceptable level within 48 hours. Which course of action should the analyst recommend?
A WAF can mitigate the specific RCE vector, and network restrictions reduce exposure.
Why this answer
Option A is correct because placing the EC2 instance behind a WAF and restricting inbound access to known IPs via security groups provides immediate, compensating controls that reduce the attack surface for the critical RCE vulnerability. Since the instance cannot be patched within 48 hours, this network-layer isolation (WAF filtering malicious payloads, security groups limiting source IPs) aligns with the CISO's risk reduction requirement while maintaining business operations and PCI compliance.
Exam trap
CompTIA often tests the concept that compensating controls (like WAF + security group restrictions) are acceptable for immediate risk reduction when patching is not feasible, and candidates mistakenly choose a delayed patch (Option C) or an irrelevant security fix (Option D) instead of the correct network-layer mitigation.
How to eliminate wrong answers
Option B is wrong because decommissioning the instance immediately would break the legacy application and the third-party API integration, causing unacceptable business disruption and potential PCI data processing failure; the CISO asked for risk reduction, not removal. Option C is wrong because applying the patch in two weeks violates the 48-hour risk reduction mandate and does not address the immediate threat; the analyst must recommend a compensating control, not a delayed patch. Option D is wrong because disabling TLS 1.0 and enabling TLS 1.2 addresses encryption weaknesses, not the remote code execution vulnerability (CVE-2023-XXXX); it does not mitigate the specific RCE attack vector.