ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 135 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 135
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

Which of the following troubleshooting steps should be performed?

  • A. Check inbound and outbound security groups, looking for DENY rules
  • B. Check inbound and outbound Network ACL rules, looking for DENY rules
  • C. Review the rejected packet reason codes in the VPC Flow Logs
  • D. Use AWS X-Ray to trace the end-to-end application flow
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Zek at May 13, 2024, 5:50 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Bachhu
4 months ago
Selected Answer: C
It should be C.
upvoted 1 times
urbanmonk
4 months ago
The question is poorly worded but there is nothing like "rejected packet reason code" in VPC flow log format. VPC flow logs does not offer packet inspection, hence this invalidates option C. VPC Flow Log format: Acct ID | ENI ID | Src IP | Dest IP | Source Port | Dest Port | Protocol | Packets | Bytes | Start & End Time | Action(accept, reject) | Status By mere elimination, the closest answer to reason should be B
upvoted 1 times
...
...
yismail
6 months ago
Correct answer is C, other Instances in the same subnet can communicate, this eliminate the issue of NACL, if the deny role is attached the NACL on the same subnet, other Instances will not be able to communicate, only VPC flow logs can determine the error msg
upvoted 1 times
...
navid1365
9 months ago
Selected Answer: B
The answer is B. Here is the reason: 1) A cannot be correct since the questions explicitly mentions that SG are configured with correct rules 2) B is correct. NACLs are attached to a subnet and can have both ALLOW and DENY rules. Given that the other hosts in the two subnets can communicate successfully, there has to be an explicit DENY rule that denies access between the two hosts in question.
upvoted 1 times
...
DeadDropLabs
10 months, 3 weeks ago
Selected Answer: B
For C - While VPC Flow Logs can provide insights into why packets are being rejected, this is a more detailed troubleshooting step. Checking the NACL rules is a more direct approach to identifying potential network layer issues.
upvoted 4 times
...
aescudero51
11 months ago
Selected Answer: C
C is more relevant due to "It has been confirmed that other hosts in the same subnets are able to communicate successfully" where it says "other hosts in the same subnets" excluding NACL issue..
upvoted 2 times
helloworldabc
7 months, 1 week ago
just B
upvoted 1 times
...
...
Certified101
11 months, 1 week ago
B - SG dont have deny rules
upvoted 3 times
...
Zek
11 months, 2 weeks ago
Will go with B https://www.examtopics.com/discussions/amazon/view/30042-exam-aws-certified-security-specialty-topic-1-question-176/
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago