ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 87 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 87
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Systems Engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the Development team wants to use security groups and network ACLs to accomplish various security requirements in the environment.
What configuration is necessary to allow the virtual security appliance to route the traffic?

  • A. Disable network ACLs.
  • B. Configure the security appliance's elastic network interface for promiscuous mode.
  • C. Disable the Network Source/Destination check on the security appliance's elastic network interface
  • D. Place the security appliance in the public subnet with the internet gateway
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by BillyC at Aug. 28, 2019, 12:58 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hakuo
Highly Voted 3 years, 7 months ago
answer: C https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#eni-basics Source/destination checking "You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls."
upvoted 13 times
...
FonKeel
Highly Voted 3 years, 7 months ago
Answer is C: The key point in the question is "What configuration is necessary to allow the virtual security appliance to route the traffic?"
upvoted 10 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: C
C Similar to NAT instance, you must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls. D, is not wrong..but it is not required, depends on the architecture. An inline virtual security appliance could be between 2 internal (private) subnet. Or could be not directly connected to IGW, and there's another hop between it and IGW. Which means, it could be deployed in a private subnet. D is not required, while C is required.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
As per Aws documentation: You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
upvoted 1 times
...
sapien45
2 years, 11 months ago
Selected Answer: C
c is a tradional mistake both on AWS and Azure when setting up virtual appliances
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: C
A. ACL cannot be disabled B. Promiscuous mode is for package capturing and also cannot be used in ENI. C. is for let traffic pass through it D. ???
upvoted 1 times
...
ceros399
3 years, 2 months ago
Selected Answer: C
Ans = C as the traffic is not destinated for the virtual appliance, you have to disable Source/Destinations checks
upvoted 1 times
...
Radhaghosh
3 years, 4 months ago
Answer is C. Basic for NAT Instance
upvoted 2 times
...
Kdosec
3 years, 7 months ago
Why many people selected "D. Place the security appliance in the public subnet with the internet gateway", is there no any information from question to show that the virtual appliance should be NAT device or route to the Internet. So, D is not correct. Answer must be C.
upvoted 3 times
...
sanjaym
3 years, 7 months ago
Ans: C
upvoted 2 times
...
Hungdv
3 years, 7 months ago
Answer is C. D does not relate to traffic routing.
upvoted 2 times
...
Edgecrusher77
3 years, 7 months ago
C, basic configuration
upvoted 2 times
ChinkSantana
3 years, 7 months ago
C if it was a EC2 based NAT instance
upvoted 1 times
...
...
Nebolos
3 years, 7 months ago
C is the correct answer. To route means to move traffic from one subnet to another and you need to disable Source/Destination checks for this to happen. There is no mention of the firewall being used for internet traffic so we can assume it must be in a public subnet
upvoted 1 times
ChinkSantana
3 years, 7 months ago
Read the question. It doesnt say the Security appliance was an EC2 Nat Instance.
upvoted 1 times
...
...
apartha77
3 years, 7 months ago
C https://community.checkpoint.com/t5/Cloud-Network-Security/What-is-up-with-Disabling-Source-Destination-check-for-vSEC-in/td-p/7140
upvoted 1 times
...
devjava
3 years, 7 months ago
Ans > D https://aws.amazon.com/pt/blogs/networking-and-content-delivery/securing-egress-using-ids-ips-leveraging-transit-gateway/
upvoted 1 times
...
evishalarora
3 years, 7 months ago
The question doesn't mention if the appliance is on EC2 instance or a marketplace appliance. If a marketplace appliance, C might not be necessary. In my opinion, it should be D
upvoted 3 times
...
AfricanCloudGuru
3 years, 7 months ago
An (D)
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel