ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 414 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 414
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A solutions architect is developing a multiple-subnet VPC architecture. The solution will consist of six subnets in two Availability Zones. The subnets are defined as public, private and dedicated for databases. Only the Amazon EC2 instances running in the private subnets should be able to access a database.
Which solution meets these requirements?

  • A. Create a now route table that excludes the route to the public subnets' CIDR blocks. Associate the route table to the database subnets.
  • B. Create a security group that denies ingress from the security group used by instances in the public subnets. Attach the security group to an Amazon RDS DB instance.
  • C. Create a security group that allows ingress from the security group used by instances in the private subnets. Attach the security group to an Amazon RDS DB instance.
  • D. Create a new peering connection between the public subnets and the private subnets. Create a different peering connection between the private subnets and the database subnets.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by dmscountera at March 11, 2021, 7:41 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dmscountera
Highly Voted 3 years, 8 months ago
C. Create a security group that allows ingress from the security group used by instances in the private subnets. Attach the security group to an Amazon RDS DB instance.
upvoted 56 times
Rajjay
3 years, 6 months ago
security groups has no ability to deny anything.
upvoted 8 times
gargaditya
3 years, 6 months ago
Exactly, unlike Azure,in AWS SG contain only Allow statements(NACL contain both allow and deny but applied at subnet level and is stateless). SG are applied at NIC level(unliek Azure where they are applied at NIC and Subnet level).
upvoted 8 times
...
...
...
meeko86
Highly Voted 3 years, 7 months ago
Answer C Security groups are stateful. All inbound traffic is blocked by default. If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again. You cannot block specific IP address using Security groups (instead use Network Access Control Lists).
upvoted 23 times
craycomm
3 years, 7 months ago
I don't think that's correct; see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html The following are the characteristics of security group rules: Security group rules are always permissive; you can't create rules that deny access.
upvoted 3 times
gargaditya
3 years, 6 months ago
Both of you are correct and talking about 2 different things.
upvoted 1 times
...
Gomer
3 years, 6 months ago
You can deny access if you only allow members of another security group to access. That implicitly denies access to anything that is not in the EC2 security group used in the private subnet. I didn't understand all this until I went and played with the security group filters where you could select another security group instead of IP filter. Once it clicked in my head, it all became simple.
upvoted 2 times
...
...
...
axelrodb
Most Recent 1 year, 9 months ago
Selected Answer: C
Security groups are stateful. All inbound traffic is blocked by default. If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again. You cannot block specific IP addresses using Security groups (instead use Network Access Control Lists).
upvoted 1 times
...
queen101
2 years, 10 months ago
CCCCCCCCCCC
upvoted 1 times
...
slcheng
2 years, 11 months ago
Selected Answer: B
Trick question. has mentioned "...Access to a database should be restricted to Amazon EC2 instances operating on private subnets".... which answer meet the criteria... ! it not asking how to create..
upvoted 1 times
ChiefArch
2 years, 9 months ago
But this solution doesn't specifically allow DB access from EC2 which is a requirement.
upvoted 1 times
...
...
naveenagurjara
2 years, 11 months ago
Selected Answer: C
SG cannot deny. Only Allow with default deny in the end.
upvoted 1 times
...
Christoph2
3 years ago
Why not A? You do not need 3 subnets for security groups. Also, the usage of a specific security group cannot be enforced.
upvoted 1 times
...
Salem_Express
3 years, 4 months ago
Selected Answer: C
It is definitely C. simply, security group doesn't allow/deny traffic. it is ACL which is set deny rules.
upvoted 1 times
...
Munna_Bhaiya
3 years, 5 months ago
Selected Answer: C
By default, subnet blocks access, you need to create a rule that allows private subnets to access the DB
upvoted 2 times
...
jake_lee
3 years, 6 months ago
Selected Answer: C
SG has no deny fuction. Only ACL can allow/deny egress/ingress traffic.
upvoted 1 times
...
ruturajjena
3 years, 6 months ago
Selected Answer: C
Security can only allow the traffic. By default it's all deny
upvoted 1 times
...
pikaflash
3 years, 6 months ago
Selected Answer: C
C. Create a security group that allows ingress from the security group used by instances in the private subnets. Attach the security group to an Amazon RDS DB instance.
upvoted 1 times
...
aravinds4
3 years, 6 months ago
Selected Answer: C
Security group basics The following are the characteristics of security groups: You can specify allow rules, but not deny rule https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
upvoted 1 times
...
aws_aspirant
3 years, 6 months ago
cccccccccccc
upvoted 1 times
...
jnxtx
3 years, 6 months ago
Answer is C. "You can specify allow rules, but not deny rules." "When you first create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group." Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#VPCSecurityGroups
upvoted 3 times
...
spydii
3 years, 7 months ago
security groups can not deny anything. please find a good handbook and read AWS solutions and products before coming here. C is the answer
upvoted 8 times
...
Ln312
3 years, 7 months ago
Ah... again, how can you website chose B? It's C for sure, SG could not add deny rule
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel