Exam AWS Certified Security - Specialty topic 1 question 150 discussion

Exam question from Amazon's AWS Certified Security - Specialty

Question #: 150
Topic #: 1

[All AWS Certified Security - Specialty Questions]

A company is configuring three Amazon EC2 instances with each instance in a separate Availability Zone. The EC2 instances will be used as transparent proxies for outbound internet traffic for ports 80 and 443 so the proxies can block traffic to certain internet destinations as required by the company's security policies. A
Security Engineer completed the following:
Set up the proxy software on the EC2 instances.

✑ Modified the route tables on the private subnets to use the proxy EC2 instances as the default route.
✑ Created a security group rule opening inbound port 80 and 443 TCP protocols on the proxy EC2 instance security group.
However, the proxy EC2 instances are not successfully forwarding traffic to the internet.
What should the Security Engineer do to make the proxy EC2 instances route traffic to the internet?

A. Put all the proxy EC2 instances in a cluster placement group.
B. Disable source and destination checks on the proxy EC2 instances.
C. Open all inbound ports on the proxy EC2 instance security group.
D. Change the VPC's DHCP domain-name-servers options set to the IP addresses of proxy EC2 instances.

Show Suggested Answer

Suggested Answer: B 🗳️
Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html

by viestner at March 14, 2021, 12:38 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

refuz

Highly Voted 3 years, 7 months ago

B is correct

upvoted 9 times

...

[Removed]

Highly Voted 2 years, 6 months ago

B. Disable source and destination checks on the proxy EC2 instances. To make the proxy EC2 instances route traffic to the internet, the Security Engineer should disable source and destination checks on the proxy EC2 instances. By default, all EC2 instances have source and destination checks enabled, which means that the instances will only accept traffic that is sent to or from the instance's elastic network interface (ENI). Since the proxy EC2 instances are being used as transparent proxies for outbound internet traffic, they need to be able to receive traffic from any source and forward it to the internet, regardless of the source or destination IP address. Disabling source and destination checks on the proxy EC2 instances will allow them to receive and forward traffic to the internet as expected. Other options, such as putting all the proxy EC2 instances in a cluster placement group or opening all inbound ports on the proxy EC2 instance security group, are not necessary for the proxy EC2 instances to route traffic to the internet.

upvoted 7 times

...

Root_Access

Most Recent 2 years, 9 months ago

Selected Answer: B

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

upvoted 2 times

...

cldy

3 years, 7 months ago

B. Basic 101

upvoted 3 times

...

ChinkSantana

3 years, 8 months ago

Easiest question Here.. The ECs2 instance is a Nat Instance.

upvoted 2 times

...

[Removed]

3 years, 8 months ago

Disabling source and destination checks on the proxy instance is also necessary to allow it to receive traffic not destined for the instance’s own IP address: https://www.nearform.com/blog/building-a-transparent-proxy-in-aws-vpc-with-terraform-and-squid/

upvoted 5 times

...

viestner

3 years, 8 months ago

b, sure

upvoted 1 times

...