Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AWS Certified Security - Specialty topic 1 question 155 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 155
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
1. An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.
2. Database, application, and web servers are configured on three different private subnets.
3. The VPC has two route tables: one for the public subnet and one for all other subnets. The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway. The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway. All private subnets can route to each other.
4. Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
5. There are 3 Security Groups (SGs): database, application, and web. Each group limits all inbound and outbound connectivity to the minimum required.
Which of the following accurately reflects the access control mechanisms the Architect should verify?

  • A. Outbound SG configuration on database servers Inbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
  • B. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
  • C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
  • D. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
PeppaPig
Highly Voted 2 years, 6 months ago
B is right. NACL is stateless so both inbound and outbound checks are needed
upvoted 31 times
Stardec
2 years, 5 months ago
SG is stateless. NACL isn´t
upvoted 1 times
Stpn2me
2 years, 5 months ago
SG is stateful. NACL is stateless..
upvoted 4 times
...
...
Stardec
2 years, 5 months ago
SG is ststeful. NACL is stateless.
upvoted 1 times
...
Weekly_diary
2 years, 5 months ago
I understand that NACL is stateless and SG is stateful. So, why A can't be the answer too?
upvoted 1 times
dnd1000
2 years, 5 months ago
Because the connection is going from the application server to the db server. So the sg that will allow this connection is the inbound for the db server, and the outbound for the application server.
upvoted 5 times
...
...
...
Raphaello
Most Recent 1 month ago
Selected Answer: B
B are the correct answer.
upvoted 1 times
...
huyrk102
1 year, 1 month ago
Selected Answer: B
SG stateful ACL stateless Outbound SG APP==> In&Outbound ACL APP ==> In&Outbound ACL DB ==> Inbound SG DB
upvoted 3 times
...
skillz2investor
1 year, 4 months ago
Selected Answer: B
B is correct ans.
upvoted 2 times
...
Chandrajith
1 year, 4 months ago
There is a condition in the question "Each group limits all inbound and outbound connectivity to the minimum required." So that rules out the Stateful characteristic of SG. Ref: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#:~:text=You%20can%20remove%20the%20rule,no%20outbound%20traffic%20is%20allowed. I think option C is the correct one.
upvoted 1 times
...
Chandrajith
1 year, 4 months ago
There is a condition in the question "Each group limits all inbound and outbound connectivity to the minimum required." So that rules out the Stateful characteristic of SG. Ref: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiskeCoirX7AhWB1DgGHRAiDF0QFnoECA0QAw&url=https%3A%2F%2Fdocs.aws.amazon.com%2Fvpc%2Flatest%2Fuserguide%2FVPC_SecurityGroups.html%23%3A~%3Atext%3DYou%2520can%2520remove%2520the%2520rule%2Cno%2520outbound%2520traffic%2520is%2520allowed.&usg=AOvVaw18duhClaWYWeRM5KpzhhCJ I think option C is correct.
upvoted 1 times
...
workatpace
1 year, 5 months ago
Selected Answer: B
For NACL both inbound and outbound Rules need to be checked for Database any answer without both is incorrect
upvoted 1 times
...
dcasabona
1 year, 7 months ago
Selected Answer: B
I agree on option B.
upvoted 1 times
...
sarhlarm
1 year, 9 months ago
This question is way too long to remember every detail. Whoever set this question must have thought they were "IT" ... smh
upvoted 2 times
...
YouYouYou
2 years, 2 months ago
Selected Answer: B
A. --database inbound is not verified B. --correct answer --inbound sg on database checked --outbound sg on app checked even if it's not required inbound in place for sure the question says it can't connect to the db so we can reach it but it can't reach the db --inbound and outbound nacl for db and app servers checked C. --database outbound is not verified D. --database outbound is not verified
upvoted 1 times
...
Ayusef
2 years, 4 months ago
Its D.. Soon as they said outbound SG B.. was wrong.
upvoted 1 times
Ayusef
2 years, 4 months ago
Typo B..but the answers are wacky
upvoted 2 times
...
...
Hungdv
2 years, 5 months ago
B is answer. SG is stateful, NACL is stateless: App -> SG1 outbound -> ACL1 outbound -> ACL2 inbound -> SG2 inbound -> DB -> ACL2 outbound -> ACL1 inbound -> APP
upvoted 2 times
babaseun
2 years, 5 months ago
That makes D correct answser
upvoted 1 times
...
babaseun
2 years, 5 months ago
The answer stops here 'App -> SG1 outbound -> ACL1 outbound -> ACL2 inbound -> SG2 inbound -> DB'. Question states that the app server cannot make a connection to the database server
upvoted 2 times
...
...
Edgecrusher77
2 years, 5 months ago
Sorry I dont understand the format of the answers proposed...
upvoted 1 times
...
saptati
2 years, 5 months ago
The Correct Answer is B. 1) For any App to DB Connection, the first troubleshooting step is to check the App SG OUTBOUND Rule and DB SG INBOUND rule. SGs are stateful and doesn't require to worry about returning traffic. Thus, by the method of elimination, we can take out A & C. 2) Why D is wrong because a similar troubleshooting step is applied as they did with SGs. But NACLs are stateless so we also need to check the returning traffic as well. Thus, I also feel pity who are still confused.
upvoted 4 times
DayQuil
2 years, 5 months ago
Nice, this is correct. Also for those who are wondering, yes security groups support outbound rules.
upvoted 1 times
...
Weekly_diary
2 years, 5 months ago
Thank you and understand your saying. According to your logic, why can't we also choose A to be the answer (since SG is stateful)?
upvoted 1 times
...
...
varu
2 years, 5 months ago
Correct Ans: B In this Q is talking about control mechanism "FLOW OF TRAFFIC" . App servers "OUT" ==> database "IN" and then NACLs which always works in pair IN/OUT for best results :))!! You can forget about C and D, it says for NACL only IN or OUT with each service, but you are free to experiment this option:))! Best of luck !!!
upvoted 1 times
...
dishu2511
2 years, 5 months ago
Am I the only one who is thinking all of the options are wrong? SG are stateful, all the options have inbound and outbound for SG. Or am I missing anything here?
upvoted 1 times
...
Santya
2 years, 5 months ago
I feel pity on guys who are answering anything other than B to this question, they are not eligible even to appear for AWS associate exam.. Correct Answer is B.. you will gain this knowledge only through experience
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...