ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 116 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 116
Topic #: 1
[All AWS Certified Security - Specialty Questions]

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host
(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What action should be performed to allow the ping to work?

  • A. In the security group of the EC2 instance, allow inbound ICMP traffic.
  • B. In the security group of the EC2 instance, allow outbound ICMP traffic.
  • C. In the VPC's NACL, allow inbound ICMP traffic.
  • D. In the VPC's NACL, allow outbound ICMP traffic.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by awssecuritynewbie at March 18, 2020, 8:48 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DanMuniz
Highly Voted 3 years, 8 months ago
D, duplicated, good to double study!
upvoted 14 times
...
ITGURU51
Most Recent 2 years, 1 month ago
The answer is D because the flow logs are showing that inbound ICMP from source to destination was allowed. However, the outbound ICMP traffic from the EC2 instance back to the data center computer was rejected.
upvoted 3 times
awssecuritynewbie
1 year, 8 months ago
The traffic reached the EC2 but the return traffic was not returned as it was rejected by the NCAL , the security group is stateful so the return traffic is allowed through the inbound is already permitted.
upvoted 1 times
...
...
a_kom
2 years, 6 months ago
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html (section "Security group and network ACL rules") I do not get it. How could I possibly reach from my "home computer" with IP 203.0.113.12, the private IP 172.31.16.139 of an EC2 instance?!
upvoted 1 times
...
speedster
2 years, 6 months ago
Selected Answer: D
SG-> Stateful (inbound rule auto reflected to outbuond rule) NACL-> Stateless (inbound and outbound rules are separate )
upvoted 3 times
ITGURU51
2 years, 1 month ago
NACL's require inbound and outbound rules to be configured because they are stateless.
upvoted 1 times
...
...
MungKey
2 years, 9 months ago
A - Not correct - Inbound is working B - Not correct - In SG if Inbound is working, Outbound is not required C - Not correct - Inbound is working D - Correct - 172.31.16.139 going out to 203.0.113.12 - Need to allow
upvoted 3 times
ITGURU51
2 years, 1 month ago
The concept behind the question here is the fact that security groups are stateful devices. Since the flow logs show that traffic is allowed inbound, it is safe to assume that the security group is not the problem.
upvoted 1 times
...
...
trongod05
3 years ago
Selected Answer: D
D. The exact example is in the VPC flow logs documentation here. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html. Scroll down to Security group and network ACL rules.
upvoted 2 times
...
f4bi4n
3 years, 2 months ago
Please notice that in the second entry the IPs are switched, which means the return from on-premise was blocked. So the NACL blocks the incoming connection... (open ephemeral ports)
upvoted 1 times
...
tezawynn
3 years, 3 months ago
Ping will have to do with Network ACLs. NACLs are stateless so you need to set up one side. 172.16 (internal) to 203.0 (external IP) which is outbound traffic , you need to allow this.
upvoted 1 times
...
SoukelezArtibuz
3 years, 7 months ago
He did not say it so ... Ans D 100%
upvoted 2 times
...
kiev
3 years, 8 months ago
D for me as well. NACLS deals with outbound traffic
upvoted 3 times
...
Gustava6272
3 years, 8 months ago
D because , request was first accepted and then rejected. This can only happen for NACL , first pass inbound pass and outbound fail. For security group since being stateless the traffic would have moved out . Hence D
upvoted 3 times
...
rdy4u
3 years, 8 months ago
Duplicated with New Q11
upvoted 2 times
...
gfhbox0083
3 years, 8 months ago
D, for sure
upvoted 1 times
...
RaySmith
3 years, 8 months ago
D to me
upvoted 2 times
...
awssecuritynewbie
3 years, 9 months ago
D is right
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel