Exam AWS Certified Security - Specialty topic 1 question 299 discussion

This Question Options are not correct Either, Option A --> NAT is Public Subnet or Option F --> ALB is Public Subnet. Below are valid C. Place the DB instance in a private subnet. E. Configure the Auto Scaling group to place the EC2 instances in a private subnet. So either ACE or CEF

Public subnets have a direct route to an internet gateway, while private subnets do not. Resources in a private subnet require a NAT device to access the public internet. A C E

Keyword: " preconfigured allow list of IP addresses" >>> private NAT GW. A C E would make sense. https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html#private-nat-allowed-range

Anwsers CEF

ACE, according to ChatGPT. A) Deploy a NAT Gateway in each private subnet for every Availability Zone that is in use: - This is required to allow EC2 instances in private subnets to initiate outbound connections to the internet. This is necessary for software updates, package installations, and other tasks that require internet access, such as communicating with the external payment provider. C) Place the DB instance in a private subnet: - Placing the RDS DB instance in a private subnet provides an additional layer of security by not exposing the database directly to the internet. It ensures that database traffic is routed through the VPC and not accessible from the public internet. E) Configure the Auto Scaling group to place the EC2 instances in a private subnet: - Similar to the database instance, EC2 instances should also be placed in private subnets for security reasons. This ensures that incoming traffic to your application passes through the ALB (which can be in a public subnet) but doesn't expose the instances directly to the internet.

To meet the requirements of only allowing internet access to the application via HTTP/HTTPS, ensure connectivity to the external payment provider as the environment scales, and isolate the database, the security engineer should recommend: C) Place the DB instance in a private subnet E) Configure the Auto Scaling group to place the EC2 instances in a private subnet F) Deploy the ALB in a public subnet C and E place the application components in private subnets, limiting internet access. F puts the ALB in a public subnet to allow ingress of HTTP/HTTPS traffic. Together this provides isolation and limits external connectivity while allowing internet traffic to the application via the load balancer. A and D are incorrect because public subnets provide direct internet access which violates the requirements. B is incorrect because the database should not be in a public subnet.

A - sounds weird since NAT Gateway can't be deployed in Private subnet (Probably copy/past issue). but i can't find any other solution for this situation. So i'm choosing anyway A+B+E which is in simple words: Moving the DB and the APP layer to private subnet and deploy NAT gateway which will be associated with an ENI+Static IP

These actions will ensure that only HTTP and HTTPS traffic from the internet can reach the application, while allowing communication with the external payment provider through the NAT gateway. Placing the DB instance and EC2 instances in private subnets will provide an additional layer of security. ACE are the best choices here.

i dont think the answers are correct to chose 3 from. whoever is choosing A needs their head examining.

The security engineer should recommend the following actions: C. Place the DB instance in a private subnet. E. Configure the Auto Scaling group to place the EC2 instances in a private subnet. F. Deploy the ALB in a private subnet. This will ensure that the communication with the external payment provider is not interrupted as the environment scales and only HTTP and HTTPS traffic is allowed from the internet.

ACE is correct

C and E are correct. However, something wrong in wordings of A or D options. NAT must be in public subnet, so is ALB

The question says that BD will be running on AWS RDS, so we don't need to worry about it. It also asks to to break the app as the system grows, so implement ASG and ALB in private subnets and use NAT gateway to be able to communicate to external world.

Thanks for the answers. ACE is correct

Standard Load Balancers Best PRactices

There are only two right answers C and E.

i think A C E