Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 8 Question 13 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 13
Topic #: 8
[All SCS-C02 Questions]

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

Show Suggested Answer Hide Answer
Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.


Contribute your Thoughts:

Eden
6 months ago
I prefer Option D. It specifically allows inbound and outbound traffic with the RDS subnets.
upvoted 0 times
...
Dulce
6 months ago
That makes sense, Titus. But Option A also restricts traffic to specific sources.
upvoted 0 times
...
Titus
6 months ago
I think Option B might be better. It allows traffic from the application instance subnets.
upvoted 0 times
...
Laurel
7 months ago
I agree with Dulce. Option A looks good to me.
upvoted 0 times
...
Dulce
7 months ago
I think we should make changes to NACL3 to increase security.
upvoted 0 times
...
Ammie
7 months ago
But option D also seems valid as it allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets and restricts outbound traffic to the RDS subnets.
upvoted 0 times
...
Kenda
7 months ago
I'm leaning towards option C. It restricts outbound traffic on port 5432 to the CIDR blocks of the RDS subnets, increasing security.
upvoted 0 times
...
Tegan
7 months ago
I disagree, I believe option B is better. It allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
upvoted 0 times
...
Ammie
7 months ago
I think option A is the correct choice. It specifically allows inbound traffic on port 5432 from NACL2 which is where the RDS instance is located.
upvoted 0 times
...
Nancey
8 months ago
You raise a fair point. Maybe we could be more specific and allow only the necessary outbound ports, like the ones used by the application. But overall, I think option B is the best approach.
upvoted 0 times
...
Carolynn
8 months ago
Haha, I bet the exam creators are just trying to trip us up with all these network ACLs. But I'm glad we're working through this together.
upvoted 0 times
Shawnta
7 months ago
Let's go with B then.
upvoted 0 times
...
Elliot
8 months ago
That's true, it does. Maybe B is the better choice after all.
upvoted 0 times
...
Viola
8 months ago
But B specifically targets the application instance subnets.
upvoted 0 times
...
Laurel
8 months ago
I think A makes more sense actually.
upvoted 0 times
...
Ailene
8 months ago
I'm not so sure, maybe it's A?
upvoted 0 times
...
Tenesha
8 months ago
I think the correct answer is B.
upvoted 0 times
...
...
Latrice
8 months ago
Option B does seem to be the most logical choice. Restricting the RDS access to only the application subnets and removing the default allow-all rules is a good way to tighten the security.
upvoted 0 times
...
Terrilyn
8 months ago
Hmm, this is a tricky one. We need to ensure the functionality of the application while increasing the security of the network. I'm leaning towards option B, as it seems to have the most comprehensive approach.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77