New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 8 Question 13 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 13
Topic #: 8
[All SCS-C02 Questions]

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80.

The ALB is in public subnets that are associated with a network ACL that is named NACL1. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic.

Which set of network ACL changes will increase the security of the application while ensuring functionality?

Show Suggested Answer Hide Answer
Suggested Answer: B

For increased security while ensuring functionality, adjusting NACL3 to allow inbound traffic on port 5432 from the CIDR blocks of the application instance subnets, and allowing outbound traffic on ephemeral ports (1024-65536) back to those subnets creates a secure path for database access. Removing default allow-all rules enhances security by implementing the principle of least privilege, ensuring that only necessary traffic is permitted.


by Meaghan at Mar 10, 2024, 04:21 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Leana
3 months ago
Option C seems off, we need to allow RDS to communicate properly.
upvoted 0 times
...
Jade
3 months ago
Agree with B, it’s all about least privilege!
upvoted 0 times
...
Truman
3 months ago
Wait, why would we remove all default rules? Sounds risky.
upvoted 0 times
...
Annelle
4 months ago
I think option B makes the most sense for security!
upvoted 0 times
...
Linwood
4 months ago
NACLs should definitely restrict traffic, not just allow everything.
upvoted 0 times
...
Verlene
4 months ago
I recall that removing default allow rules is crucial for security, but I can't remember if it applies to NACL2 or NACL3 in this scenario.
upvoted 0 times
...
Franchesca
4 months ago
I’m a bit confused about whether we should be focusing on inbound or outbound rules for the RDS instance. I feel like we practiced something similar in class.
upvoted 0 times
...
Hoa
4 months ago
I think option B sounds familiar because it mentions allowing traffic from the application instance subnets, which seems like a good practice.
upvoted 0 times
...
Jaime
5 months ago
I remember we discussed the importance of restricting traffic to only what's necessary, but I'm not sure if NACL2 or NACL3 should be modified first.
upvoted 0 times
...
Douglass
5 months ago
I think the answer is B. Restricting the RDS access to only the application instance subnets seems like the most secure approach while still allowing the necessary connectivity.
upvoted 0 times
...
Virgie
5 months ago
I'm a bit confused about the different network ACLs and how they relate to the application and database components. I'll need to carefully review the details to come up with the best solution.
upvoted 0 times
...
Micaela
5 months ago
Okay, let me think this through step-by-step. The key is to identify the minimum set of changes needed to increase security while maintaining functionality.
upvoted 0 times
...
Brock
5 months ago
This question seems straightforward, but I want to make sure I understand the network setup correctly before I attempt to answer.
upvoted 0 times
...
Francine
5 months ago
Okay, let's see. The options mention different types of hubs, but I'm not sure what each one does. I'll have to think this through carefully.
upvoted 0 times
...
Chana
5 months ago
This seems like a tricky one. I'll need to think carefully about the best approach to ensure upselling is done at the right time.
upvoted 0 times
...
Heidy
5 months ago
I feel pretty confident about this one. The key is identifying the right formula and then plugging in the numbers correctly. As long as I do that, I should be able to get the right answer.
upvoted 0 times
...
Josephine
5 months ago
I'm not entirely sure, but I thought increasing the number of datasets goes against good data management principles.
upvoted 0 times
...
Eden
2 years ago
I prefer Option D. It specifically allows inbound and outbound traffic with the RDS subnets.
upvoted 0 times
...
Dulce
2 years ago
That makes sense, Titus. But Option A also restricts traffic to specific sources.
upvoted 0 times
...
Titus
2 years ago
I think Option B might be better. It allows traffic from the application instance subnets.
upvoted 0 times
...
Laurel
2 years ago
I agree with Dulce. Option A looks good to me.
upvoted 0 times
...
Dulce
2 years ago
I think we should make changes to NACL3 to increase security.
upvoted 0 times
...
Ammie
2 years ago
But option D also seems valid as it allows inbound traffic on port 5432 from the CIDR blocks of the RDS subnets and restricts outbound traffic to the RDS subnets.
upvoted 0 times
...
Kenda
2 years ago
I'm leaning towards option C. It restricts outbound traffic on port 5432 to the CIDR blocks of the RDS subnets, increasing security.
upvoted 0 times
...
Tegan
2 years ago
I disagree, I believe option B is better. It allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
upvoted 0 times
...
Ammie
2 years ago
I think option A is the correct choice. It specifically allows inbound traffic on port 5432 from NACL2 which is where the RDS instance is located.
upvoted 0 times
...
Nancey
2 years ago
You raise a fair point. Maybe we could be more specific and allow only the necessary outbound ports, like the ones used by the application. But overall, I think option B is the best approach.
upvoted 0 times
...
Carolynn
2 years ago
Haha, I bet the exam creators are just trying to trip us up with all these network ACLs. But I'm glad we're working through this together.
upvoted 0 times
Shawnta
2 years ago
Let's go with B then.
upvoted 0 times
...
Elliot
2 years ago
That's true, it does. Maybe B is the better choice after all.
upvoted 0 times
...
Viola
2 years ago
But B specifically targets the application instance subnets.
upvoted 0 times
...
Laurel
2 years ago
I think A makes more sense actually.
upvoted 0 times
...
Ailene
2 years ago
I'm not so sure, maybe it's A?
upvoted 0 times
...
Tenesha
2 years ago
I think the correct answer is B.
upvoted 0 times
...
...
Latrice
2 years ago
Option B does seem to be the most logical choice. Restricting the RDS access to only the application subnets and removing the default allow-all rules is a good way to tighten the security.
upvoted 0 times
...
Terrilyn
2 years ago
Hmm, this is a tricky one. We need to ensure the functionality of the application while increasing the security of the network. I'm leaning towards option B, as it seems to have the most comprehensive approach.
upvoted 0 times
...

Save Cancel