Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Exam AWS Certified Security - Specialty topic 1 question 54 discussion

A Security Engineer has been tasked with the responsibility of troubleshooting incoming connections to a web server. This single web server is not accepting incoming connections from the internet, despite the fact that all other web servers are operating normally.
ACLs, security groups, and a virtual security appliance are all included in the design. Additionally, the Development team developed Application Demand Balancers (ALBs) to balance the load across all web servers. Traffic between web servers and the internet must pass via the virtual security appliance.
According to the Security Engineer, the following is true:

1. The security groups' rules are correct.
2. The network ACLs have the right set of rules.
3. The virtual appliance's rule set is right.

Which of the following are additional relevant troubleshooting elements in this scenario? (Select two.)

  • A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
  • B. Verify which Security Group is applied to the particular web serverג€™s elastic network interface (ENI).
  • C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
  • D. Verify the registered targets in the ALB.
  • E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
INASR
Highly Voted 3 months, 3 weeks ago
B & D are correct answers
upvoted 19 times
Kdosec
2 months, 3 weeks ago
I don't know why the answer is B because the question mentioned that "The Security Engineer has verified the following: 1. The rule set in the Security Groups is correct", so it neans that Security groups have been checked and verified correctly, isn't it ?
upvoted 1 times
jackn
2 months, 3 weeks ago
yes, it states "THE RULE SET in the Security Groups is correct" it doesn't say this SG is applied / attached to this particular web server's ENI
upvoted 2 times
...
...
...
mojoa
Highly Voted 3 months, 4 weeks ago
The issue would not be nat related so eliminate A and E . Problem is inbound so eliminate C. This leaves B and D.
upvoted 16 times
...
sam_live
Most Recent 2 days, 10 hours ago
I would select options C & D. Because unless you explicitly configure the instances to route traffic via the security appliance it won't do by itself. the question says the it must traverse via the virtual security appliance.
upvoted 1 times
...
LaLune
1 week, 2 days ago
* The question stipulates that the security group are ok (1) --> B is eliminated * The NAT is outbound user control traffic not inbound as the question specified --> A & E discarded * For the 2 choices, we have C and D which seem normal as: 1) if that particular was not properly registered with the target it will not receive inbound traffic; 2) If the web server subnet associated route table is not pointing to the virtual security appliance it won't recive traffic. So, we can safely say C & D are the correct answers.
upvoted 1 times
...
lmtony
2 months, 3 weeks ago
B & D is correct why? if relevant to routing (0/0), then all server must affect -> A, C, E is wrong if relate to inbound connectivity -> NAT gateway is not relevant -> A, E is wrong.
upvoted 3 times
...
EA_Practice
2 months, 3 weeks ago
Anyone can explain why, besides re-stating the same ? Can't picture what is connected to what: - without an exhibit this is a cruel Q.
upvoted 1 times
...
sanjaym
2 months, 3 weeks ago
Ans: BD
upvoted 1 times
...
devjava
2 months, 3 weeks ago
Ans > B,D
upvoted 1 times
...
AfricanCloudGuru
2 months, 3 weeks ago
Ans(B,D) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
upvoted 1 times
...
wzlinux
3 months ago
BD is right
upvoted 2 times
...
RaySmith
3 months ago
BD is correct
upvoted 2 times
...
lifeisgift
3 months ago
B and D are corrent. 1. NAT has nothing to do with the question. remove A and E; 2. Only one server with this issue. remove C.
upvoted 4 times
...
Bach999
3 months, 1 week ago
I got this question in my exam on 2020-Feb-19.
upvoted 5 times
...
aws_learner
3 months, 1 week ago
Look the issue is with INBOUND connectivity A, C : Route Table is to control OUTBOUND traffic E: NAT gateway takes traffic OUTBOUND B,D : CORRECT
upvoted 8 times
...
RakeshTaninki
3 months, 1 week ago
B D make sense.
upvoted 2 times
...
henry76
3 months, 1 week ago
B and D the targets must be attached to the ELB and the interface must be attached to the SG
upvoted 2 times
...
McBTTF
3 months, 1 week ago
B and D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...