exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 107 discussion

A systems engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.

What configuration is necessary to allow the virtual security appliance to route the traffic?

  • A. Disable network ACLs.
  • B. Configure the security appliance's elastic network interface for promiscuous mode.
  • C. Disable the Network Source/Destination check on the security appliance's elastic network interface.
  • D. Place the security appliance in the public subnet with the internet gateway.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
vikasj1in
10 months, 3 weeks ago
C, When you deploy a virtual security appliance inline in a subnet, you need to ensure that it can effectively route traffic between different subnets. The "Network Source/Destination check" is a feature in Amazon EC2 that controls whether source/destination checking is enabled or disabled on a network interface. In this context, the virtual security appliance acts as a router, and the "Network Source/Destination check" should be disabled on its elastic network interface. When this check is disabled, the network interface can handle traffic that is not specifically destined for the instance it is attached to, allowing it to route traffic between different subnets.
upvoted 2 times
...
rahav
11 months, 2 weeks ago
Selected Answer: C
C for sure
upvoted 1 times
...
Daniel76
11 months, 3 weeks ago
Selected Answer: C
Source/destination checking You can enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. Source/destination checks are enabled by default. You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
upvoted 3 times
...
azure4life
11 months, 3 weeks ago
Selected Answer: C
Option C is the correct solution. To allow a virtual security appliance deployed inline to route traffic between subnets, the Network Source/Destination Check needs to be disabled on its elastic network interface. This enables the appliance to receive traffic that is not specifically addressed to itself. Option A is incorrect because disabling network ACLs is not required for a virtual appliance deployment and would reduce security. Option B mentions promiscuous mode which applies to physical network interfaces, not virtual ones in AWS. Option D places the appliance in the public subnet which may help route internet traffic but does not address routing between private subnets. Disabling the Source/Destination Check is required to enable that routing functionality.
upvoted 4 times
...
Oralinux
12 months ago
Answer: C
upvoted 1 times
...
kejam
1 year ago
Selected Answer: C
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
upvoted 3 times
...
[Removed]
1 year ago
Selected Answer: C
C is correct
upvoted 3 times
...
oioi
1 year ago
Selected Answer: C
correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago