Amazon Exam SCS-C02 Topic 8 Question 13 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 13
Topic #: 8

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

AMake the following changes to NACL3:
* Add a rule that allows inbound traffic on port 5432 from NACL2.
* Add a rule that allows outbound traffic on ports 1024-65536 to NACL2.
* Remove the default rules that allow all inbound and outbound traffic.

BMake the following changes to NACL3:
* Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
* Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.
* Remove the default rules that allow all inbound and outbound traffic.

CMake the following changes to NACL2:
* Add a rule that allows outbound traffic on port 5432 to the CIDR blocks of the RDS subnets.
* Remove the default rules that allow all inbound and outbound traffic.

DMake the following changes to NACL2:
* Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets.
* Add a rule that allows outbound traffic on port 5432 to the RDS subnets.

Show Suggested Answer

Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.

by Meaghan at Mar 10, 2024, 04:21 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Nancey

11 days ago

You raise a fair point. Maybe we could be more specific and allow only the necessary outbound ports, like the ones used by the application. But overall, I think option B is the best approach.

upvoted 0 times

...

Carolynn

11 days ago

Haha, I bet the exam creators are just trying to trip us up with all these network ACLs. But I'm glad we're working through this together.

upvoted 0 times

...

Latrice

12 days ago

Option B does seem to be the most logical choice. Restricting the RDS access to only the application subnets and removing the default allow-all rules is a good way to tighten the security.

upvoted 0 times

...

Terrilyn

13 days ago

Hmm, this is a tricky one. We need to ensure the functionality of the application while increasing the security of the network. I'm leaning towards option B, as it seems to have the most comprehensive approach.

upvoted 0 times

...