Question 2
Domain 3: Infrastructure, Network, and Workload SecurityIn a microservices architecture deployed in containers, which security pattern provides defense in depth by ensuring that a compromise of one service does not automatically grant access to others?
Correct answer: A
Explanation
A service mesh with mutual TLS enforces service-to-service authentication and encryption, so each service must prove its identity before communication is allowed. This provides defense in depth because a compromise of one containerized microservice does not automatically let an attacker impersonate it or access other services without valid certificates.
Why each option is right or wrong
A. Service mesh with mutual TLS
A service mesh that enforces mutual TLS at the sidecar/proxy layer requires both client and server certificates for every east-west connection, so a compromised container cannot simply call neighboring services as an authenticated peer. In practice, this implements per-service identity and encrypted transport for each request path, which is the defense-in-depth control that prevents lateral movement across microservices unless the attacker also has valid certificate material and trust-chain authorization.
B. Shared service accounts across microservices
C. Monolithic authentication service
D. Database connection pooling