ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 17 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 17
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A security engineer is working with a company to design an ecommerce application. The application will run on Amazon EC2 instances that run in an Auto Scaling group behind an Application Load Balancer (ALB). The application will use an Amazon RDS DB instance for its database.
The only required connectivity from the internet is for HTTP and HTTPS traffic to the application. The application must communicate with an external payment provider that allows traffic only from a preconfigured allow list of IP addresses. The company must ensure that communications with the external payment provider are not interrupted as the environment scales.
Which combination of actions should the security engineer recommend to meet these requirements? (Choose three.)

  • A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use.
  • B. Place the DB instance in a public subnet.
  • C. Place the DB instance in a private subnet.
  • D. Configure the Auto Scaling group to place the EC2 instances in a public subnet.
  • E. Configure the Auto Scaling group to place the EC2 instances in a private subnet.
  • F. Deploy the ALB in a private subnet.
Show Suggested Answer Hide Answer
Suggested Answer: ACE 🗳️
by aragon_saa at Oct. 3, 2023, 8:20 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ptol
Highly Voted 1 year, 1 month ago
Selected Answer: CE
This cannot possibly be an exam question. its poorly worded. None of the partial answers address the need to contol the outgoing connections IP addresses. If A placed the NAT in a public subnet with an elastic IP address attached, then we would have a valid solution
upvoted 8 times
...
1329ca5
Most Recent 1 month, 3 weeks ago
Selected Answer: ACE
Based on best practices for security, scalability, and meeting the specific requirements: C. Place the DB instance in a private subnet. (Essential for database security) E. Configure the Auto Scaling group to place the EC2 instances in a private subnet. (Essential for application server security behind an ALB) A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use. (Essential for EC2 instances in private subnets to reach the external payment provider with a static, highly available outbound IP, supporting ASG scaling)
upvoted 1 times
...
Kaps443
4 months, 1 week ago
Selected Answer: ACE
A. Deploy a NAT gateway in each private subnet for every Availability Zone that is in use. ✔️ Ensures EC2s in private subnets can access the internet using static Elastic IPs via NAT — which are pre-approved by the payment provider. C. Place the DB instance in a private subnet. ✔️ Best practice: RDS should never be in a public subnet. Keeps DB isolated and secure. E. Configure the Auto Scaling group to place the EC2 instances in a private subnet. ✔️ EC2s in private subnets use the NAT Gateway to talk to the internet, keeping them protected from direct public access. The ALB handles public traffic.
upvoted 1 times
...
phmeeeee
4 months, 1 week ago
Selected Answer: CE
NAT GW in private subnet is useless!,
upvoted 2 times
...
Artemiy
4 months, 2 weeks ago
Selected Answer: CE
only two are valid A can't be possible because nat gateway must be in public subnet
upvoted 1 times
...
molerowan
5 months, 1 week ago
Selected Answer: CE
C&E is the only legit answer A and F are a terrible idea.
upvoted 1 times
...
diegomarin
8 months ago
Selected Answer: ACD
Nat GW em rede privada não tem saída para usar o EIP.
upvoted 2 times
...
bukkanni
11 months, 3 weeks ago
NAT Gateway in a private subnet. Seriously? How will EC2 instances in a private subnet get internet access if the NAT Gateway is in a private subnet and itself does not have internet access. Am I missing something?
upvoted 3 times
...
FunkyFresco
12 months ago
Selected Answer: ACE
ACE are correct.
upvoted 1 times
...
sema2232
1 year, 2 months ago
B,E,F are correct
upvoted 1 times
...
shailvardhan
1 year, 2 months ago
Incorrect options as question is not clear enough.
upvoted 1 times
...
Raphaello
1 year, 8 months ago
Keyword: " preconfigured allow list of IP addresses" However, the question missed an important detail alongside these keywords..that the communication has to be routed to a VPN and through a virtual private gateway (VGW). That's the only reason you can place NAT GW in a private subnet. Without that piece of detail, placing NAT GW seems unreasonable. Poorly written question, but if you considered that, A C E would make sense. https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html#private-nat-allowed-range
upvoted 4 times
...
Daniel76
1 year, 9 months ago
Selected Answer: ACE
C and E are definitely correct. A is confusing because NAT gateway should be created in public subnets. It should be referring to created *for each private subnets instead. F is wrong because ALB should be in public subnet.
upvoted 2 times
confusedyeti69
1 year, 8 months ago
There is private NAT gateway as well, but I'm not sure if private NAT gateway is deployed to public or private subnet. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html Private – Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway. You can route traffic from the NAT gateway through a transit gateway or a virtual private gateway. You cannot associate an elastic IP address with a private NAT gateway. You can attach an internet gateway to a VPC with a private NAT gateway, but if you route traffic from the private NAT gateway to the internet gateway, the internet gateway drops the traffic.
upvoted 1 times
...
...
[Removed]
1 year, 9 months ago
Selected Answer: ACE
A,C and E, except that NAT gateways are created in public subnets, so that private subnets can reach the Internet. Option A is worded wrong.
upvoted 3 times
...
lalee2
1 year, 9 months ago
Selected Answer: ACE
A, C, E
upvoted 2 times
...
KR693
1 year, 10 months ago
A, C and E
upvoted 2 times
...
Sumi81
1 year, 10 months ago
I think its ACD
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel