ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 247 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 247
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener.

Which configuration steps should the security engineer take to accomplish this task?

  • A. Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB’s default security group.
  • B. Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC’s internet gateway.
  • C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC’s internet gateway.
  • D. Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by jdx000 at Nov. 27, 2024, 11:28 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
m_ch333
3 months, 3 weeks ago
Selected Answer: D
D. For security group, you can specify allow rules, but not deny rules. https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html
upvoted 1 times
...
Curl8012
4 months, 2 weeks ago
Selected Answer: D
Between A and D, A - There is nothing such as Deny rule in security group D - Although not exhaustive, the best choice among these
upvoted 2 times
...
IPLogic
4 months, 3 weeks ago
Selected Answer: A
Option A is the most effective solution to ensure that the ALB only accepts HTTPS connections. By creating a security group that denies inbound connections on port 80 and attaching it to the ALB, you can override any permissive rules from the default security group. This will prevent HTTP traffic from reaching the ALB, even if it's misconfigured.
upvoted 1 times
IPLogic
4 months, 3 weeks ago
Option A: Ensures no traffic on port 80 by explicitly denying it, providing clear and enforceable security. Option D: Allows HTTPS traffic but does not explicitly deny HTTP, which leaves room for misconfigurations. For a thorough and precise solution, Option A remains the best choice. It provides explicit control over the types of traffic your ALB can accept, ensuring compliance with minimal risk.
upvoted 1 times
...
...
jdx000
5 months ago
Selected Answer: D
Agree, D.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago