ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 73 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 73
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer discovers that developers have been adding rules to security groups that allow SSH and RDP traffic from 0.0.0.0/0 instead of the organization firewall IP.
What is the most efficient way to remediate the risk of this activity?

  • A. Delete the internet gateway associated with the VPC.
  • B. Use network access control lists to block source IP addresses matching 0.0.0.0/0.
  • C. Use a host-based firewall to prevent access from all but the organization's firewall IP.
  • D. Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization's firewall IP.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by BillyC at Aug. 25, 2019, 6:03 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ugreenhost
Highly Voted 3 years, 9 months ago
D will be more appropriate, if using NACL to block 0.0.0.0/0 it will affect those instances not associated with the security group as well, my ans will be D
upvoted 22 times
lxgzmy
3 years, 9 months ago
agree, if use nacl it will block anything, what about the public reachable servers, they should have the choice as well. the question talk about the security groups level.
upvoted 1 times
...
newbie2019
3 years, 9 months ago
correct!
upvoted 2 times
...
...
BillyC
Highly Voted 3 years, 9 months ago
D is Correct!
upvoted 7 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
Unbelievable number of wrong answers. This has to be D ofc.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
Automation is the most efficient way to address the problem, therefore the answer is D.
upvoted 1 times
...
matrpro
2 years, 2 months ago
Selected Answer: D
D is correct because this is automated, continuous and active every time developers add the rule.
upvoted 1 times
...
patou
2 years, 2 months ago
Selected Answer: D
this is obvious
upvoted 1 times
...
vavofa5697
2 years, 2 months ago
Selected Answer: D
B will block everything, more proper answer will be D
upvoted 1 times
...
Cedhulk
2 years, 4 months ago
Selected Answer: D
It's D
upvoted 1 times
...
exam67
2 years, 6 months ago
Selected Answer: D
D is the correct answer. For reasons refer to ungreenhost explanation
upvoted 1 times
...
skillz2investor
2 years, 7 months ago
Selected Answer: D
D is the correct answer. NACL will block other publicly accessible services as well.
upvoted 1 times
...
arae
2 years, 8 months ago
D makes sense
upvoted 1 times
...
arae
2 years, 9 months ago
Answer D because you can automate it so you avoid anyone making changes to SG that doesnt fit the criteria
upvoted 1 times
...
lotfi50
3 years ago
Selected Answer: D
D is Correct!
upvoted 1 times
...
sanjaym
3 years, 8 months ago
Ans: D 100%
upvoted 1 times
...
Larsson
3 years, 8 months ago
D. Why writes these answers? "Block everything"
upvoted 1 times
...
ChinkSantana
3 years, 8 months ago
"What is the most efficient way to remediate the risk of this activity?" This is an active solution. Blocking on NACL, what stops the developers that added the Rule to SG from removing the configured rule on NACL ? D is correct because this is automated, continuous and active every time developers add the rule.
upvoted 1 times
...
shooricg
3 years, 8 months ago
B is the correct answer. ACLs are on a subnet level, the majority of the time developers are resuing subnets when creating EC2 and SGs, so yeah blocking traffic from a range of IPs using ACLs makes sense. and it pretty easy
upvoted 1 times
examtaker12
3 years, 8 months ago
Stop saying nonsense. 0.0.0.0/0 means every IP, including the firewall's one.
upvoted 12 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel