ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 361 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 361
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has two VPCs that are in the same AWS account. One VPC is located in the us-east-1 Region, and the other VPC is located in the us-west-2 region. The VPCs have an active VPC peering connection with each other, and the route tables for each VPC are configured to route network traffic properly between each VPC.

An Amazon Aurora DB instance exists in the VPC in us-east-1, and the DB instance’s security group controls access to the DB instance. An Auto Scaling group is running in the VPC in us-west-2. The Auto Scaling group is continually adding and removing Amazon EC2 instances because of fluctuations in the demand for capacity. Every EC2 instance that launches as part of the Auto Scaling group belongs to a security group that is specific to the Auto Scaling group.

A security engineer needs to configure a solution that allows the EC2 instances to access the DB instance that is located in us-east-1.

Which solution will meet these requirements with the LEAST amount of effort?

  • A. Add the ID of the DB instance’s security group to the inbound rules of the EC2 instances’ security group.
  • B. Add the subnets used by the Auto Scaling group of the VPC in us-west-2 to the DB instance’s security group,
  • C. Add the private IP address of each EC2 instance from the Auto Scaling group to the DB instance's security group.
  • D. Add the ID of the EC2 instances’ security group to the inbound rules of the DB instance's securely group.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by luisfsm_111 at Nov. 21, 2022, 1:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AdamWest
Highly Voted 2 years, 5 months ago
Selected Answer: D
D - (Isais - you can add SG's from other vpc's if they are peered) - From user guide. The ID of a security group (referred to here as the specified security group). For example, the current security group, a security group from the same VPC, or a security group for a peered VPC. This allows traffic based on the private IP addresses of the resources associated with the specified security group. This does not add rules from the specified security group to the current security group.
upvoted 12 times
Isaias
2 years, 5 months ago
YOu´re Right
upvoted 1 times
...
charlesdeng
2 years, 2 months ago
B - You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC. from https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html
upvoted 9 times
ITGURU51
2 years ago
Security groups cannot be referenced between regions. According to AWS documentation, “You cannot reference the security group of a peer VPC that’s in a different region. Instead, use the CIDR block of the peer VPC.
upvoted 1 times
...
...
...
Leonardocp33
Highly Voted 2 years, 4 months ago
Selected Answer: B
B, "You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC." https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html#:~:text=You%20cannot%20reference%20the%20security%20group%20of%20a%20peer%20VPC%20that%27s%20in%20a%20different%20Region.%20Instead%2C%20use%20the%20CIDR%20block%20of%20the%20peer%20VPC.upvoted%201%20times
upvoted 9 times
...
Arad
Most Recent 11 months, 1 week ago
Selected Answer: D
D is the correct answer.
upvoted 1 times
...
lucesarano
1 year, 10 months ago
B. As the other are pointing I have tried that and you can try yourself. Go to eu-west-1 and check default security group. Get id of eu-west-2 default security group Try to reference in the first Security Group the id of the second, it won't appear.
upvoted 1 times
...
Green53
1 year, 10 months ago
Selected Answer: B
A sneaky question. As people have said, security groups can only be referenced across peers when they're in the *same* region: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html Since you don't want to whitelist individual IPs, B is the suitable answer.
upvoted 1 times
...
michele_scar
1 year, 11 months ago
Selected Answer: B
You cannot reference SG between different region. It's needed the CIDR block
upvoted 1 times
...
Toptip
1 year, 11 months ago
Selected Answer: B
B is 100% correct... D could be correct only if both VPC are in the SAME REGION.
upvoted 1 times
...
Tofu13
1 year, 11 months ago
Selected Answer: B
B Add the subnets = add the subnets CIDR. C only adds single IPs which is not working very well in an AS group. D not working because of different regions
upvoted 2 times
...
Ell89
2 years, 2 months ago
Selected Answer: B
as explained by multiple members already, you can reference an SG of a peered VPC, but not from a different region.
upvoted 5 times
...
makanju
2 years, 3 months ago
B- You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC. https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html
upvoted 3 times
...
sakibmas
2 years, 3 months ago
Selected Answer: D
A - reverse requirements B - not least access C - not feasible
upvoted 1 times
Smartphone
2 years, 3 months ago
How you will add the ID of the EC2 instances’ security group that is located in the different region? Correct Answer is B
upvoted 3 times
...
...
Smartphone
2 years, 4 months ago
You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC. You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC. https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html Hence the correct answer is B
upvoted 3 times
...
sahanpere
2 years, 4 months ago
Selected Answer: B
B is correct. D is not correct. You can't specify the Security ID in different regions only CIDR. https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html#:~:text=You%20cannot%20reference%20the%20security%20group%20of%20a%20peer%20VPC%20that%27s%20in%20a%20different%20Region.%20Instead%2C%20use%20the%20CIDR%20block%20of%20the%20peer%20VPC.
upvoted 5 times
...
NOZOMI
2 years, 4 months ago
Selected Answer: B
Unfortunately, SGID references are only available in the same region and when VPCPeering is configured. It's not specified in the docs, but you'll find out if you actually do it. (There are also descriptions in some free blogs)
upvoted 4 times
siva_siva
2 years, 4 months ago
B - For Source in SGID, type the ID of the security group in the peer VPC if it is in the same Region or the CIDR block of the peer VPC if it is in a different Region. refer: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html
upvoted 4 times
...
...
ryogoku
2 years, 4 months ago
Selected Answer: D
D is correct as explained by Adam.
upvoted 1 times
...
Isaias
2 years, 5 months ago
Selected Answer: B
B, adding the subnets on SG on the DB inbound rule A y D cannot be, becase you cannot add a SG from another VPC
upvoted 4 times
landsamboni
2 years, 5 months ago
yes you can
upvoted 1 times
...
...
beatz
2 years, 5 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago