ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 260 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 260
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security.
The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for
MySQL port 3306.
Which network ACL rule set meets these requirements?

  • A. Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
  • B. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
  • C. Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
  • D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by santosar at Aug. 24, 2021, 11:54 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
babaseun
Highly Voted 3 years, 7 months ago
B: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports Ensure that you place the deny rules earlier in the table than the allow rules that open the wide range of ephemeral ports.
upvoted 26 times
sun11111
2 years, 3 months ago
You might want to add a deny rule in a situation where you legitimately need to open a wide range of ports, but there are certain ports within the range that you want to deny. Just make sure to place the deny rule earlier in the table than the rule that allows the wide range of port traffic.
upvoted 3 times
...
...
jtzt2003
Highly Voted 3 years, 6 months ago
All answers are wrong. A: inbound rules are ok, outbound doesn't allow 1024-65535. B: Inbound allows 1024-65535 C: Inbound allows 1024-65535 D: Duplicate of A. The correct answer should allow 443 inbound, deny 3306 inbound, and allow 1024-65535 outbound.
upvoted 13 times
ManasChuri
3 years, 5 months ago
My bad is B The question says: “The solution must permit outbound communication to a TLS-encrypted internet service through port 443.” So out bound 443 and inbound 1024 - 65535.
upvoted 3 times
...
Raphaello
1 year, 3 months ago
All answers are wrong, he says! And "Highly Voted", they say. Let's see! A: inbound rules are ok, he says.. "A. Use inbound rule 100 to allow traffic on TCP port 443."!!!!!! B: Inbound allows 1024-65535..yeah? What's wrong with that? D: Duplicate of A..he says! Man, I hope you're just trolling.
upvoted 1 times
...
...
Raphaello
Most Recent 1 year, 2 months ago
Selected Answer: B
Correct answer is B.
upvoted 1 times
...
captainpike
1 year, 10 months ago
Selected Answer: B
B. Check "Ephemeral ports" in https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
upvoted 1 times
...
Smartphone
2 years, 3 months ago
B is correct answer If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on). https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
upvoted 1 times
...
Chiquitabandita
2 years, 3 months ago
the choice B is correct I think, but the answer is just worded in a weird manner. The internal host is the source trying to go out so outbound on 443 port and needs to return on inbound port 1024-65535
upvoted 1 times
...
Jimmy123
2 years, 3 months ago
Selected Answer: D
The correct answer is D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443. This rule set denies all inbound traffic destined for MySQL port 3306 while allowing all outbound traffic to the internet service that uses TLS through port 443, and also allowing all outbound traffic.
upvoted 1 times
...
boooliyooo
2 years, 4 months ago
Selected Answer: D
If we knew that the only port is gonna be used is 443, why couldn't it be inbound/outbound 443 only? The network ACL rule set that meets these requirements is D. Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443. This will block any inbound traffic to MySQL port 3306 and allow outbound traffic to the internet service that uses TLS through port 443.
upvoted 1 times
...
jishrajesh
2 years, 4 months ago
selected B
upvoted 1 times
...
sakibmas
2 years, 4 months ago
Selected Answer: B
The solution must allow outbound traffic to an internet service that uses TLS through port 443.
upvoted 1 times
...
cloud_collector
2 years, 8 months ago
B is correct
upvoted 1 times
...
Rja148393
2 years, 9 months ago
D - Probably because allowing inbound on 1024-65535 will not sit in line with security hardening. Better to allow only 443 inbound rather than allowing the entire ephemeral port range
upvoted 3 times
...
TigerInTheCloud
3 years, 1 month ago
Selected Answer: B
A - Inbound need ephemeral ports 1024~65535 for return traffic of the outbound 443 port traffic, B - Good one C - rule 200 will not be evaluated and traffic to 3306 is not blocked. D - same as A
upvoted 2 times
...
ceros399
3 years, 2 months ago
B: inbound: 100 deny port 3306 (you deny SQL) 200 Allow port 1024-65535 (you allow the reply back traffic) Outbound: 100 permit port 443 (Allow out https)
upvoted 2 times
...
FreshNess
3 years, 2 months ago
Selected Answer: B
B!!!!!!!!!!!!!!!!
upvoted 3 times
...
Ddssssss
3 years, 2 months ago
Selected Answer: D
Deny first, allow second. Lease privilege so you cant allow all of those inbound ports, ephemeral should be for outbound only.
upvoted 1 times
ceros399
3 years, 2 months ago
wrong, NACLs are stateless, that means that if you need to communicate to the internet via 443, because this is TCP, you'll get you answer through one of the ephemeral ports 1024-65535, that is why you need that rule inbound.
upvoted 2 times
...
...
MoreOps
3 years, 2 months ago
Selected Answer: B
Easily B
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel