ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 191 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 191
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

  • A. Make the following changes to NACL3:
    • Add a rule that allows inbound traffic on port 5432 from NACL2.
    • Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.
    • Remove the default rules that allow all inbound and outbound traffic.
  • B. Make the following changes to NACL3:
    • Add a rule that allows inbound traffic on port 5432 from the Cl DR blocks of the application instance subnets.
    • Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.
    • Remove the default rules that allow all inbound and outbound traffic.
  • C. Make the following changes to NACL2:
    • Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.
    • Remove the default rules that allow all inbound and outbound traffic.
  • D. Make the following changes to NACL2:
    • Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.
    • Add a rule that allows outbound traffic on port 5432 to the RDS subnets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by maciekmacku at Oct. 6, 2024, 4:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
molerowan
3 days, 18 hours ago
Selected Answer: B
A: Referencing NACL2 (instead of CIDR blocks) is invalid—NACL rules require IP ranges, not ACL identifiers. C/D: Modifying NACL2 (application subnet) is unnecessary here. The ALB already forwards traffic to port 80 on the EC2 instances, which is managed by security groups. NACL2’s default allow-all rules are already sufficient for ALB-to-EC2 traffic.
upvoted 1 times
...
Pat9595
1 month, 2 weeks ago
Selected Answer: B
Why is B the Best Choice? Restricts Database Access (RDS - NACL3) The RDS instance only needs to accept traffic from the application instances (NACL2) on port 5432 (PostgreSQL). This prevents unauthorized access from other sources. Ensures Proper Response Traffic Flow PostgreSQL replies on ephemeral ports (1024-65536), so outbound traffic from NACL3 to NACL2 must be allowed for the connection to function. Removes Open Access The default allow-all rules are removed, improving security. Only necessary inbound and outbound traffic is permitted.
upvoted 1 times
...
youonebe
2 months, 1 week ago
Selected Answer: C
Answer is C. By default, AWS creates NACLs that allow all inbound and outbound traffic. To improve security, it is recommended to restrict access to only necessary traffic. There is no need for DB subnet to open a broad range of ports. Another problem with B is, how would you protect the application server if the NACL rule still allows all traffic? The question asked is to protect the application.
upvoted 1 times
...
TareDHakim
2 months, 1 week ago
Selected Answer: B
B. database will allow access from/to application subnet only
upvoted 1 times
...
maciekmacku
5 months, 1 week ago
I think B is correct. Inbound 5432 is allowed and outbound for ephemeral ports. Answer A is wrong as you can't use other NACL as a source.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago