ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 375 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 375
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

  • A. Make the following changes to NACL3:
    Add a rule that allows inbound traffic on port 5432 from NACL2.
    Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.
    Remove the default rules that allow all inbound and outbound traffic.
  • B. Make the following changes to NACL3:
    Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
    Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.
    Remove the default rules that allow all inbound and outbound traffic.
  • C. Make the following changes to NACL2:
    Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.
    Remove the default rules that allow all inbound and outbound traffic.
  • D. Make the following changes to NACL2:
    Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.
    Add a rule that allows outbound traffic on port 5432 to the RDS subnets.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Isaias at Nov. 25, 2022, 12:05 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Isaias
Highly Voted 2 years, 6 months ago
Selected Answer: B
B correct. A incorrect cannot attach acl in other acl C incorrect the app instances need outbound traffic to respond connection to alb D same C escenario
upvoted 7 times
...
Hishamov88
Most Recent 1 year, 11 months ago
Selected Answer: B
B with a remark that the ephemeral port range is "1024-65535" not "1024-65536".
upvoted 1 times
...
Toptip
2 years ago
Selected Answer: B
B only one that makes sense
upvoted 1 times
...
nairj
2 years, 1 month ago
Answer is B : Add the subnet range of NACL 2 to NACL 3 with the required port information, and set-up inbound and outbound. A - Can not attach NACL C and D - The app subnet NACLs are not propoerly configured.
upvoted 1 times
...
tainh
2 years, 6 months ago
Selected Answer: B
B is correct
upvoted 4 times
...
AdamWest
2 years, 6 months ago
Selected Answer: B
I also have B as the answer.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel