Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 309 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02

Question #: 309
Topic #: 1

[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company is planning on deploying a newly built application on AWS in a default VPC. The application will consist of a web layer and database layer. The web server was created in public subnets, and the MySQL database was created in private subnets. All subnets are created with the default network ACL settings, and the default security group in the VPC will be replaced with new custom security groups.
The following are the key requirements:
✑ The web servers must be accessible only to users on an SSL connection.
✑ The database should be accessible to the web layer, which is created in a public subnet only.
✑ All traffic to and from the IP range 182.20.0.0/16 subnet should be blocked.
Which combination of steps meets these requirements? (Choose two.)

A. Create a database server security group with inbound and outbound rules for MySQL port 3306 traffic to and from anywhere (0 0.0.0/0).
B. Create a database server security group with an inbound rule for MySQL port 3306 and specify the source as a web server security group.
C. Create a web server security group with an inbound allow rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0) and an inbound deny rule for IP range 182.20.0.0/16.
D. Create a web server security group with an inbound rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0). Create network ACL inbound and outbound deny rules for IP range 182.20.0.0/16.
E. Create a web server security group with inbound and outbound rules for HTTPS port 443 traffic to and from anywhere (0.0.0.0/0). Create a network ACL inbound deny rule for IP range 182.20.0.0/16.

Show Suggested Answer

Suggested Answer: BD 🗳️

by Mashuaws at Dec. 13, 2021, 5:02 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

examJack

Highly Voted 3 years, 2 months ago

Selected Answer: BD

A. (X) private subnet(MySQL) should behind public subnet B. (O) database server security group enable traffic between web-to-db(public subnet to private subnet) C. (X) security group has only "Allow" option. D. (O) web server security group allow 443 from any. NACL deny in/out from 182.20.0.0/16 E. (X) Security groups are stateful. For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

upvoted 5 times

...

osel

Most Recent 3 years, 4 months ago

Selected Answer: BD

A. Incorrect bcos Can't address "database should be accessible to the web layer only". B. Correct bcos Can address "database should be accessible to the web layer only". C. Incorrect bcos Security Group doesn't support for Deny action rule. D. Correct bcos Can address "web servers must be accessible only to users on an SSL connection... All traffic to and from the IP range 182.20.0.0/16 subnet should be blocked". E. Incorrect bcos WebSvr doesn't need to initiate HTTPS connection outbound, it only need to receive HTTPS req inbound.

upvoted 3 times

...