ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 159 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 159
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Development team has built an experimental environment to test a simple static web application. It has built an isolated VPC with a private and a public subnet.
The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway. The private subnet holds all of the Amazon EC2 instances.
There are 3 different types of servers. Each server type has its own Security Group that limits access to only required connectivity. The Security Groups have both inbound and outbound rules applied. Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)

  • A. The route tables and the outbound rules on the appropriate private subnet security group.
  • B. The outbound network ACL rules on the private subnet and the inbound network ACL rules on the public subnet.
  • C. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet.
  • D. The rules on any host-based firewall that may be applied on the Amazon EC2 instances.
  • E. The Security Group applied to the Application Load Balancer and NAT gateway.
  • F. That the 0.0.0.0/0 route in the private subnet route table points to the Internet gateway in the public subnet.
Show Suggested Answer Hide Answer
Suggested Answer: ACD 🗳️
by PeppaPig at Aug. 29, 2020, 6:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
freddyman
Highly Voted 3 years, 8 months ago
Short answer: A, C, D This question is poorly written. A: subnets don't have security groups, they have NACLs. Security groups are for resources. The route table is really important for this solution though. E: NAT Gateways don't have security groups To look at the answers: A: route table is important, so this must be included B: This is a subnet of answer C, and everything in C is needed, so B is incorrect as it's not a full answer. C: NACL rules on all subnets are relevant. Blocking inbound or outbound on the wrong ports will prevent communications. You also need to check the inbound NACL rules on the private subnet, probably ephemeral ports. D: yes, less likely but important E: NAT gateway doesn't have an SG so not that, and ALB is for ingress not egress via NAT gateway, so no. F: no, route needs to point to NAT gateway not internet gateway
upvoted 36 times
babaseun
3 years, 7 months ago
The question says 'server cannot establish an OUTBOUND connection to the internet' which makes B better option than C. I go with BDE
upvoted 1 times
dfranco76
3 years, 6 months ago
It checks OUTBOUND connection. 1- NACL private Outbound ( To public subnet/NAT ) 2 - NACL public Inbound ( From private subnet) 3- NACL public Outbound ( To internet )
upvoted 2 times
...
Kdosec
3 years, 6 months ago
With AWS NACL you must check both inbound and outbound for each subnet, because they are stateless. Not check only one direction.
upvoted 2 times
...
...
ramozo
3 years, 7 months ago
A cannot be correct. Subnets don't have security groups. Right answer for me is B,C, D
upvoted 4 times
...
...
Raphaello
Most Recent 1 year, 3 months ago
Selected Answer: ACD
ACD are the correct answer
upvoted 1 times
Raphaello
1 year, 2 months ago
When using NAT gateway for TCP communication with the internet, ephemeral port (1024 ~ 65535) must be allowed in the ACL INBOUND rule applied to NAT gateway in order to receive response packets. And of course an OUTBOUND rule must allow the elements in the public subnet to reach the internet. ACD.
upvoted 1 times
...
...
OCHT
1 year, 11 months ago
Selected Answer: ABD
i selected ABD
upvoted 1 times
...
awsguru1998
2 years, 2 months ago
ABD ABD Since the instances are in the private subnet, they are not affected by the inbound or outbound rules on the public subnet. Therefore, checking the outbound network ACL rules on the private subnet and the inbound network ACL rules on the public subnet (option B) would be more appropriate in this scenario.
upvoted 1 times
...
VijiTu
2 years, 8 months ago
B does not seem to be right because we do not need inbound rules check- for public subnet
upvoted 1 times
...
VijiTu
2 years, 8 months ago
Answer CDE. I read the option E slightly in a different way. We need to verify the security group of ALB and also the NAT gateway set up. We should not read it as security group of NAT Gateway which would mislead us since NAT Gateway does not have security group
upvoted 4 times
nairj
2 years, 1 month ago
why do we need to check ALB when the issue is egress, not ingress?
upvoted 2 times
...
landsamboni
2 years, 6 months ago
I agree completely
upvoted 1 times
...
...
NSF2
3 years, 4 months ago
Except A and D I am not satisfied with any answers. NACL in all subnets should be checked for both directions.
upvoted 1 times
...
Hariru
3 years, 6 months ago
Selected Answer: ACD
A: routing tables is maybe the first thing I would check. C: I think we should also check the outbound, because its not stateful and we need to determine the ephemeral ports. D: If we configured any firewall on the host, this could obviously also a blocker. E: Security Group for ALB etc doesnt exist.... F: 0.0.0.0 .... just no.
upvoted 4 times
sapien45
2 years, 8 months ago
E: SG for ALB actually exist : https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html SG for NAT GW do not exists
upvoted 4 times
...
...
IMAHM
3 years, 6 months ago
Answer : A,C,D
upvoted 1 times
...
Kdosec
3 years, 6 months ago
I don't know why many people still select B & C. With AWS NACL you must check both inbound and outbound for each subnet, because they are stateless. Not check only one direction.
upvoted 1 times
...
DerekKey
3 years, 6 months ago
A - wrong -> private subnet security group rules and security group route tables E - wrong -> NAT gateway Security Group F - wrong -> private subnet route to the Internet gateway
upvoted 1 times
...
Paimon
3 years, 7 months ago
Terrible question. Only wrong answer is A. All others could be the issue.
upvoted 1 times
Kdosec
3 years, 6 months ago
Why A is wrong ? Check routing table and security group for private subnet, this is the first step we must check.
upvoted 1 times
jayaj
3 years, 4 months ago
there is no Security groups attached to subnets, SG attached to resources only.
upvoted 5 times
...
...
...
Paimon
3 years, 7 months ago
This question/answers is terrible. Might be the worst I've ever seen........
upvoted 2 times
...
sanjaym
3 years, 7 months ago
ACD for sure.
upvoted 2 times
sanjaym
3 years, 7 months ago
My bad. It should be CDE.
upvoted 2 times
...
...
aawwss
3 years, 7 months ago
Nat Gateway do have secueity groups. Ultimately, Nat Gateway have enis and you can update the security group for the eni though I don't understand why someone would modify the SG in the first place.
upvoted 1 times
DerekKey
3 years, 7 months ago
This is a completely different entity. The interface can be attached to NAT and EC2 and is not solely dedicated to NAT. Therefore: - NAT Gateway doesn't have a security group - Network Interface has a security group
upvoted 1 times
...
...
conmtia0214
3 years, 7 months ago
C, D, E are correct. A. There is no such component as a "subnet security group". (Cannot be confirmed.) B. You need to check the outbound network ACL rules for the public subnet. F. You need to make sure that the 0.0.0.0/0 route in the private subnet route table points to the NAT gateway.
upvoted 1 times
conmtia0214
3 years, 7 months ago
Let me fix it. The "E" is also incorrect. Security groups can be associated with NAT instances, but not with NAT gateways. I don't know the correct answer.
upvoted 3 times
...
...
smithy44
3 years, 7 months ago
This question is terribly written. As others have said, you also need to check the inbound NACL on the private subnet (C) and security groups don't have route tables, even though that's supposedly the correct answer (A)
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel