exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 234 discussion

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Choose two.)

  • A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
  • B. Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
  • C. Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.
  • D. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.
  • E. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
molerowan
19 hours, 57 minutes ago
Selected Answer: AD
Provision NAT Gateways in Public Subnets (A): Private subnets require NAT gateways for outbound internet access. NAT gateways must be in public subnets (as per search result 1 and 4) because they need internet connectivity via the internet gateway. Each Availability Zone (AZ) should have its own NAT gateway to ensure redundancy and prevent cross-AZ data transfer costs. Update Private Subnet Route Tables (D): Private subnets should route 0.0.0.0/0 traffic to the NAT gateway in the same AZ’s public subnet. This ensures private instances use the NAT gateway for outbound traffic instead of the internet gateway. Public Subnets: Route 0.0.0.0/0 to the internet gateway (correctly configured). Private Subnets: Route 0.0.0.0/0 to the NAT gateway (traffic is masked via NAT and forwarded through the public subnet’s internet gateway).
upvoted 1 times
...
IPLogic
3 months, 1 week ago
Selected Answer: AD
A. NAT Gateway Provisioning: NAT gateways need to be in the public subnet of each Availability Zone to enable instances in the private subnets to connect to the internet for updates and other tasks, without exposing these instances directly to the internet. D. Route Table Modification: Private subnets should route their outbound internet traffic to the NAT gateway in the corresponding public subnet. This ensures that private subnet traffic passes through the NAT gateway, which then routes it to the internet gateway, maintaining security by preventing direct internet access.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago