Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 5 Question 20 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 20
Topic #: 5
[All SCS-C02 Questions]

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

Show Suggested Answer Hide Answer
Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.


Contribute your Thoughts:

Carissa
5 months ago
Haha, the last time I saw a question this complex, I ended up scratching my head for an hour. But I'm feeling confident this time around!
upvoted 0 times
...
Corrie
5 months ago
Wait, do we actually need to open up ports 1024-65536 for outbound traffic? That seems a bit excessive. Maybe I'm missing something here.
upvoted 0 times
Kris
4 months ago
Yeah, that makes sense. We don't need to open up all those ports for outbound traffic. Option B seems like the best choice.
upvoted 0 times
...
Merilyn
4 months ago
I think we should go with option B. It allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
upvoted 0 times
...
Chau
5 months ago
I agree. Option A seems to be the best choice for increasing security while ensuring functionality.
upvoted 0 times
...
Kimbery
5 months ago
I think we should make changes to NACL3. Option A looks good.
upvoted 0 times
...
...
Hoa
6 months ago
I disagree, I believe the correct answer is D.
upvoted 0 times
...
Vannessa
6 months ago
Hmm, this question is testing our knowledge of network security best practices. I think I've got it figured out, but I'll double-check my work.
upvoted 0 times
...
Jeff
6 months ago
Ah, this is a tricky one. I'm pretty sure the answer is B, but I'm curious to see what the other candidates think.
upvoted 0 times
Zona
5 months ago
I agree, option B looks like the best choice for securing the application without compromising its functionality.
upvoted 0 times
...
Zona
5 months ago
I think the answer is B as well. It seems to be the most logical choice for increasing security while ensuring functionality.
upvoted 0 times
...
Reed
6 months ago
I agree, option B seems like the best choice to increase security while ensuring functionality.
upvoted 0 times
...
Sage
6 months ago
I agree with you on option A. It seems like the best choice for increasing security while ensuring functionality.
upvoted 0 times
...
Graciela
6 months ago
I'm leaning towards option A actually. It seems like a good balance of security and functionality.
upvoted 0 times
...
Tonja
6 months ago
I think the answer is B as well. It makes sense to restrict traffic to specific CIDR blocks.
upvoted 0 times
...
Latrice
6 months ago
I think the answer is B as well. It seems to be the most secure option.
upvoted 0 times
...
...
Theola
6 months ago
I think the answer is B.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77