Topic 1 Question 285

AWS Certified Security - Specialty

Topic 1 Question 285
A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security.

The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306.

Which network ACL rule set meets these requirements?
- Use inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
- Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port range 1024-65535. Use outbound rule 100 to allow traffic on TCP port 443.
- Use inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to deny traffic on TCP port 3306. Use outbound rule 100 to allow traffic on TCP port 443.
- Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.
ユーザの投票
コメント(5)
- 正解だと思う選択肢: D
  The correct answer is: D Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443.
  
  Explanation: Inbound Rule 100 to deny traffic on TCP port 3306: This rule denies inbound traffic on MySQL’s default port (3306). It ensures that no traffic can reach the EC2 instances on that port from external sources.
  
  Inbound Rule 200 to allow traffic on TCP port 443: This rule allows inbound HTTPS (TLS) traffic on port 443, which is required for your application to communicate with an external internet service over HTTPS.
  
  Outbound Rule 100 to allow traffic on TCP port 443: This rule allows outbound traffic from the EC2 instances on port 443. It ensures that the EC2 instances can establish outbound connections to the internet over HTTPS.
  
  This rule set allows secure internet access for outbound TLS traffic on port 443 while denying inbound MySQL traffic on port 3306, fulfilling both requirements for security.
  
  👍 3
  Ucy2024/12/14
- 正解だと思う選択肢: D
  This configuration ensures that:
  
  Inbound traffic on MySQL port 3306 is denied. Inbound traffic on TCP port 443 (used for TLS) is allowed. Outbound traffic on TCP port 443 is allowed. This setup improves the subnet security by restricting unwanted inbound traffic while allowing necessary outbound traffic for internet services using TLS.
  
  👍 2
  Pmktechno2024/12/29
- 正解だと思う選択肢: B
  Answer is B you need to accept ephemeral range for your tcp response to flow back 443 <-> 1000-65535 example custom network acl https://docs.aws.amazon.com/vpc/latest/userguide/custom-network-acl.html
  
  👍 2
  Wardove2025/01/30
シャッフルモード

ユーザの投票

コメント(5)