ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 261 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 261
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company runs a workload in a single VPC on AWS. The company’s architecture contains several interface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS Key Management Service (AWS KMS). The endpoints are configured to use a shared security group. The security group is not used for any other workloads or resources.

After a security review of the environment, the company determined that the shared security group is more permissive than necessary. The company wants to make the rules associated with the security group more restrictive. The changes to the security group rules must not prevent the resources in the VPC from using AWS services through interface VPC endpoints. The changes must prevent unnecessary access.

The security group currently uses the following rules:

• Inbound - Rule 1

Protocol: TCP -

Port: 443 -

Source: 0.0.0.0/0 -

• Inbound - Rule 2

Protocol: TCP -

Port: 443 -

Source: VPC CIDR -

• Outbound - Rule 1

Protocol: All -

Port: All -

Destination: 0.0.0.0/0 -

Which rule or rules should the company remove to meet with these requirements?

  • A. Outbound - Rule 2
  • B. Inbound - Rule 1 and Outbound - Rule 1
  • C. Inbound - Rule 2 and Outbound - Rule 1
  • D. Outbound - Rule 1
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by kowal_001 at Jan. 16, 2025, 12:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
secdaddy
3 days, 13 hours ago
Selected Answer: B
Inbound rule 2 allows traffic from the VPC CIDR to the endpoints incoming so can delete inbound rule 1 which is wider than the VPC CIDR and as SGs are stateful and automatically allow return traffic can delete the outbound rule. No need to add anything.
upvoted 1 times
...
woorkim
6 days, 2 hours ago
Selected Answer: B
Keep Inbound Rule 2 (VPC CIDR) so that only resources in the VPC can connect to the endpoints. Replace the removed outbound rule with a more restrictive rule that allows outbound traffic only to the AWS service VPC endpoints.
upvoted 2 times
...
kowal_001
3 weeks ago
Selected Answer: A
question is not complete. Correct answer should be inbound rule 1. inbound rule 2 is not complete but i assume there are some network cidrs provided so only this inbound should stay. There is also one outbound rule so it doesn't make sense to remove outbound rule 2
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago