ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 893 discussion

Exam question from Amazon's AWS-SysOps
Question #: 893
Topic #: 1
[All AWS-SysOps Questions]

A SysOps administrator recently launched an application consisting of web servers running on Amazon EC2 instances, an Amazon ElastiCache cluster communicating on port 6379, and an Amazon RDS for PostgreSQL DB instance communicating on port 5432. The web servers are in the security group web-sg, the ElastiCache cluster is in the security group cache-sg, and the DB instance is in the security group database-sg.
The application fails on start, with the error message `Unable to connect to the database`.
The rules in web-sg are as follows.

Which change should the SysOps administrator make to web-sg to correct the issue without compromising security?

  • A. Add a new inbound rule: database-sg TCP 5432
  • B. Add a new outbound rule: database-sg TCP 5432
  • C. Add a new outbound rule: 0.0.0.0/0 All Traffic 0-65535
  • D. Change the outbound rule to: cache-sg TCP 5432
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by krishna2812 at May 3, 2021, 8:32 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
thirusk
Highly Voted 2 years, 3 months ago
B. Need to add outbound rule for database-sg
upvoted 11 times
...
einn
Most Recent 2 years, 1 month ago
The answer should be B, the question is asking what rule needs to be added to web-sg. We need to allow traffic from the web to DB. So is adding an outbound rule: database-sg TCP 5432. Correct me if I am wrong. Thanks
upvoted 1 times
...
Cyril_the_Squirl
2 years, 1 month ago
A is Correct. Since we give access via SG, the DB SG needs to allow Inbound traffic (Inbound rule) from the servers. A is the only option with "inbound"...
upvoted 1 times
...
random_007
2 years, 1 month ago
answer B
upvoted 1 times
...
Pradhan
2 years, 1 month ago
It should be 'A'
upvoted 2 times
...
gingerbytes
2 years, 2 months ago
B. To allow inbound connection from DB to Web since this is stateful.
upvoted 1 times
...
gingerbytes
2 years, 2 months ago
B. To allow outbound connection from web to DB since this is stateful.
upvoted 1 times
...
awsmov
2 years, 2 months ago
Correct answer should be B. EC2 needs to directly access database when having cache miss. Security group outbound rule must allow this access. A cache miss occurs when data isn't in the cache or is expired: Your application requests data from the cache. The cache doesn't have the requested data, so returns a null. Your application requests and receives the data from the database. Your application updates the cache with the new data.
upvoted 2 times
davidy2020
2 years, 1 month ago
thanks for explained it clearly
upvoted 1 times
...
Nemozini
2 years, 1 month ago
The question doesn’t mention if cache is used to cache DB data. It could be caching something else. We don’t know.
upvoted 1 times
...
...
TroyMcLure
2 years, 2 months ago
Correct Answer: A That inbound rule suggested on "A" would allow communication from the database server to the web server. Whenever a "page fault" on Elasticache happens, the database would be the responsible for returning the data to the web server, and this communication would be sourced from port TCP 5432 inbound to the web-sg.
upvoted 3 times
...
RicardoD
2 years, 2 months ago
B is the answer
upvoted 1 times
...
sig
2 years, 3 months ago
The correct answer is B because the security group is stateful communication.
upvoted 2 times
Reilgh
2 years, 2 months ago
SG are stateful which means that all Outbound is open. Meaning that the inbound traffic is what would need to be allowed... Meaning the answer would be A.
upvoted 3 times
Su123456
2 years, 1 month ago
@Religh this is simply not true. The fact that SG are stateful doesn't mean that all outbound traffic is allowed, it just means that it is aware of session-based communication and won't block incoming communication if the session already exists. "By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed." https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
upvoted 2 times
task_7
10 months, 3 weeks ago
I agree on this and for connecting to DB, DB-sg needs to allow inbound TCP 5432 from web-sg and web outbound needs rule outbound rule: 0.0.0.0/0 All Traffic 0-65535. My response will be C
upvoted 1 times
...
...
...
...
Rijndael
2 years, 3 months ago
Ill go with A
upvoted 2 times
...
krishna2812
2 years, 3 months ago
A is good.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel