ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 96 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 96
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead
Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CloudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them.
Which activity would be useful in defending against this attack?

  • A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (Internet Gateway)
  • B. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Main Route Table with the new EIP
  • C. Create 15 Security Group rules to block the attacking IP addresses over port 80
  • D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
Use AWS Identity and Access Management (IAM) to control who in your organization has permission to create and manage security groups and network ACLs
(NACL). Isolate the responsibilities and roles for better defense. For example, you can give only your network administrators or security admin the permission to manage the security groups and restrict other roles.
by qianhaopower at May 13, 2020, 1:20 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
qianhaopower
Highly Voted 3 years, 7 months ago
D is correct!
upvoted 6 times
...
amministrazione
Most Recent 8 months, 3 weeks ago
D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses
upvoted 1 times
...
01037
3 years, 6 months ago
Yes it's D. WAF may help too
upvoted 2 times
...
cldy
3 years, 6 months ago
D. NACL to blacklist the IPs with deny rule.
upvoted 2 times
...
oatif
3 years, 6 months ago
D is correct because there is not deny option in SG's
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago