ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 294 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 294
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is running an Amazon RDS Multi-AZ DB instance inside a VPC. The DB instance is using two subnets that provide a default route to the internet through a NAT gateway.
The company also has application servers that run on Amazon EC2 instances that use the RDS database. The company has deployed these EC2 instances into two other private subnets within the same VPC. These EC2 instances use a default route to access the internet through the same NAT gateway. Each subnet in the VPC uses its own unique route table.
After a recent security audit, the company added a new security requirement. The DB instance must never be able to connect to the internet. A security engineer must make this change immediately without disrupting the application servers' network traffic.
How can the security engineer meet these requirements?

  • A. Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
  • B. Configure the DB instance's inbound network ACL to deny traffic from the security group ID of the NAT gateway.
  • C. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
  • D. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Dharshan07 at Jan. 6, 2022, 12:35 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Dharshan07
Highly Voted 3 years, 6 months ago
Correct Ans is C
upvoted 8 times
...
sam_live
Highly Voted 3 years, 5 months ago
C - Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.
upvoted 5 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: C
Correct answer is C.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
The routing table has to point to the NAT gateway when your on a private subnet. Therefore C
upvoted 1 times
...
SergioP
2 years, 4 months ago
Selected Answer: C
C it´s correct
upvoted 1 times
...
Chiquitabandita
2 years, 5 months ago
deny by routing will work for answer C but in reality it should be blocked by a Network ACL as well or some other security measure.
upvoted 1 times
...
D2
2 years, 7 months ago
Selected Answer: C
Answer C
upvoted 1 times
...
xaocho
2 years, 11 months ago
Selected Answer: C
C with me
upvoted 1 times
...
ceros399
3 years, 3 months ago
Selected Answer: C
C - just delete the internet route through the NAT Gateway in the RDS subnet
upvoted 2 times
...
babaseun
3 years, 6 months ago
C...... 1. The EC2 instances connect to the internet through a default route via the same NAT gateway. 2. perform this update promptly without interfering with the network traffic of the application servers.
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel