ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 6 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 6
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load
Balancer (ALB); application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

  • A. Configure the application's EC2 instances to use NAT gateways for all inbound traffic.
  • B. Move the web servers to private subnets without public IP addresses.
  • C. Configure AWS WAF to provide DDoS attack protection for the ALB.
  • D. Require all inbound network traffic to route through a bastion host in the private subnet.
  • E. Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by BillyC at Aug. 25, 2019, 5:13 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
josellama2000
Highly Voted 3 years, 9 months ago
Agreed. Correct is B and C A is incorrect. Nat gateways is for outbound only trafffc D is incorrect. Bastion host is mostly for incoming SSH/FTP connections and it must be placed on a public subnet E is incorrect. AWS Direct connect is used to connect your on-premisse datacenter to AWS
upvoted 52 times
nasreenazad57
3 years, 8 months ago
if we move web servers to private subnets without public IP, it mean they won't be able to serve as public web servers, am I correct?
upvoted 1 times
frees
3 years, 8 months ago
Load Balancer will have public IP.
upvoted 3 times
rohanat
2 years, 5 months ago
But application and Web Servers need to be isolated into different layers, Moving the web servers to private subnet will increase the blast radius if web servers are hacked. So this answer is not fully right
upvoted 2 times
Robert0
2 years ago
The question does not specify that the private subnet have to be unique. Agree with you that it may be more complete answer. But they are "more secure" options than the initial state.
upvoted 1 times
...
Load full discussion...
...
...
...
...
BillyC
Highly Voted 3 years, 9 months ago
B and C
upvoted 20 times
...
huaze_lei
Most Recent 1 month, 1 week ago
Selected Answer: BC
Load balancer will host the public IP, and then shift all the web server to private subnet. As for the ALB, it can help with the level 7 DDOS protection.
upvoted 1 times
...
CarlosC
9 months, 3 weeks ago
Selected Answer: BC
Its B&C
upvoted 1 times
...
jlggross
11 months, 2 weeks ago
C might be correct but is a tricky one. When it comes to DDoS mitigation, the recommended solution is AWS Shield, but other services can also mitigate DDoS, such as AWS WAF.
upvoted 1 times
...
rapatajones
1 year, 8 months ago
Selected Answer: BC
B and C
upvoted 1 times
...
Benah
1 year, 9 months ago
B and C is correct
upvoted 1 times
...
Robert0
2 years ago
Selected Answer: BC
B and C.
upvoted 1 times
...
gg12345
2 years, 7 months ago
Selected Answer: BC
B and C
upvoted 1 times
...
dcasabona
2 years, 10 months ago
Selected Answer: BC
B and C make sense to me.
upvoted 1 times
...
hk436
3 years, 7 months ago
B and C is my answer
upvoted 1 times
...
Kdosec
3 years, 7 months ago
B & C are correct, but the C answer with "C. Configure AWS WAF to provide DDoS attack protection" is really not correct with DDoS attack protection, it must be AWS Shield.
upvoted 5 times
NivNZ
3 years, 7 months ago
No actually, C is correct too. If you check WAF's FAQ - "Can I use Rate-based rule to mitigate Web layer DDoS attacks?" It does say "Yes. This new rules type is designed to protect you from use cases such web-layer DDoS attacks, brute force login attempts and bad bots." Reference: https://aws.amazon.com/waf/faqs/
upvoted 8 times
...
...
sanjaym
3 years, 7 months ago
Ans:BC 100%
upvoted 1 times
...
mmelo
3 years, 8 months ago
B and C
upvoted 1 times
...
Haxor
3 years, 8 months ago
I don't understand why everyone is saying B? If it is B, then surely your users can't access the instances, so instead it should be A and C, right?
upvoted 1 times
apartha77
3 years, 8 months ago
Ans > B&C... the ALB can be configured to access web server in private subnet
upvoted 1 times
...
gondohwe
2 years, 9 months ago
it dont matter if the web servers are in private subnets...the ALB facing the internet will receive requests...BC make a better choice
upvoted 1 times
...
...
NANDY666
3 years, 8 months ago
B and C
upvoted 1 times
...
kalzht00
3 years, 8 months ago
Should be B & C
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel