Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 6 Question 27 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 27
Topic #: 6
[All SCS-C02 Questions]

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

Show Suggested Answer Hide Answer
Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.


Contribute your Thoughts:

Novella
2 months ago
I bet the person who wrote this question is a total network nerd. Option B is the way to go, though.
upvoted 0 times
...
Maryann
2 months ago
Haha, the question says to increase security, not create a fortress! Option C seems like a good balance.
upvoted 0 times
Dean
28 days ago
Yeah, option C focuses on restricting traffic to specific subnets while still allowing necessary communication.
upvoted 0 times
...
Stephaine
1 months ago
I agree, it's important to find a balance between security and functionality.
upvoted 0 times
...
Felix
2 months ago
Option C seems like a good balance.
upvoted 0 times
...
...
Tiera
2 months ago
Why do you think that?
upvoted 0 times
...
Katina
2 months ago
I disagree, I believe the answer is B.
upvoted 0 times
...
Tiera
2 months ago
Because it adds specific rules for inbound and outbound traffic to increase security.
upvoted 0 times
...
Vivan
2 months ago
Ah, a classic network security challenge. I like how option D specifically targets the RDS subnet traffic.
upvoted 0 times
Tammara
2 months ago
Definitely, it's all about minimizing the attack surface while still allowing the necessary communication.
upvoted 0 times
...
Evangelina
2 months ago
Option D also ensures that only the necessary traffic is allowed in and out of the subnets, which is crucial for security.
upvoted 0 times
...
Jill
2 months ago
I agree, it's important to have specific rules for each subnet to control the traffic flow.
upvoted 0 times
...
Edgar
2 months ago
Option D seems like the best choice to secure the traffic between the application instances and the RDS subnet.
upvoted 0 times
...
...
Brianne
2 months ago
Why do you think that?
upvoted 0 times
...
Tiera
3 months ago
I think the answer is A.
upvoted 0 times
...
Staci
3 months ago
Hmm, this is a tricky one. I think option B makes the most sense to increase security while maintaining functionality.
upvoted 0 times
Kimbery
3 months ago
User2
upvoted 0 times
...
Ena
3 months ago
User1
upvoted 0 times
...
...
Frederick
3 months ago
I don't know, option A seems simpler and more straightforward to me. Why complicate things?
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77