Exam AWS Certified Security - Specialty topic 1 question 176 discussion

B is correct for sure. Always check NACL when traffics are across subnets

my take is C, in question its mentioned that system in other subnet can communicate, so issue is not with nacl

Poorly designed question. Both B & C are potentially correct. However, inspecting the flow logs can reveal the NACL DENY rule as well as any other issues. Hence B is less thorough than C.

Correct answer is B.

B is the best answer here. As silly as it may sound, having instances in the same subnets can communicate does not rule out DENY rules or insufficient port config for these 2 specific instances causing the issue. Single IP rules can cause this. Don't think it is always subnet/range to subnet/range.

the catch here is that "other servers are able to connect" so this cannot be due to NACL (NACLs can apply for the whole VPC). A & D is a straight forward No. So, the answer should be C.

VPC Flowlogs to gain understanding of where it was blocked

Easiest way is to check dropped packets, and for that you've got the Flowlogs: C

Pay attention on "It has been confirmed that other hosts in the SAME subnets". I think this is B.

The correct answer is C. Review the rejected packet reason codes in the VPC Flow Logs. VPC Flow Logs are a great way to troubleshoot network connectivity issues. They can be used to see which packets were sent and received, as well as the reason for any rejections. In this case, the troubleshooting steps should be: Check the inbound and outbound security groups, looking for DENY rules. If there are no DENY rules, then the security groups are not the issue. Check the inbound and outbound Network ACL rules, looking for DENY rules. If there are no DENY rules, then the Network ACLs are not the issue. Review the rejected packet reason codes in the VPC Flow Logs. This will show which packets were rejected and the reason for the rejection. This information can be used to determine the next steps in troubleshooting the issue.

Depends on how read the questions: - host communicate between "same" subnet (so only in sub1 and only in sub2) it's B - host communicate cross "same" subnet (from sub1 to 2 and viceversa) it's C

there is a no information in vpcflowlog about reason.Vpc flow log so basic log type just src dest IPs and Ports,interface id and action.

I real world, I would use B then C right after that

Correct Answer is B

The other hosts on these subnets are talking to each other so the problem is not with SG & NACL. That leaves option C. VPC flow logs will tell what's causing the issue. D is irrelevant here

A cant be the answer so it is B Security group rules are implicit deny, which means all traffic is denied unless an inbound or outbound rule explicitly allows it. You can only add or remove "allow" rules—you can't add or remove "deny" rules, and there's no need to.

First of all why does the question say that security groups have valid ALLOW rules in place? Security groups don't have ALLOW or DENY rules. Question is worded wierdly imo. Anyways I guess its probably B or C.