Examice

Exam SCS-C01 All QuestionsBrowse all questions from this exam

Question 6

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load

Balancer (ALB); application servers are located in private subnets.

How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

Configure the application's EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure AWS WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

Require all inbound and outbound network traffic to route through an AWS Direct Connect connection.

Correct Answer: B, C

Enhancing edge security entails both protecting the application from direct attacks and efficiently managing traffic routes. Moving web servers to private subnets without public IP addresses increases security by only allowing access through the Application Load Balancer, thus reducing exposure to direct attacks. Configuring AWS WAF provides an additional layer of security by protecting against web-layer attacks, including DDoS and malicious bots, which helps secure the ALB and, consequently, the EC2 instances.

Discussion

josellama2000

Agreed. Correct is B and C A is incorrect. Nat gateways is for outbound only trafffc D is incorrect. Bastion host is mostly for incoming SSH/FTP connections and it must be placed on a public subnet E is incorrect. AWS Direct connect is used to connect your on-premisse datacenter to AWS

nasreenazad57

if we move web servers to private subnets without public IP, it mean they won't be able to serve as public web servers, am I correct?

frees

Load Balancer will have public IP.

rohanat

But application and Web Servers need to be isolated into different layers, Moving the web servers to private subnet will increase the blast radius if web servers are hacked. So this answer is not fully right

Robert0

The question does not specify that the private subnet have to be unique. Agree with you that it may be more complete answer. But they are "more secure" options than the initial state.

BillyC

B and C

Kdosec

B & C are correct, but the C answer with "C. Configure AWS WAF to provide DDoS attack protection" is really not correct with DDoS attack protection, it must be AWS Shield.

NivNZ

No actually, C is correct too. If you check WAF's FAQ - "Can I use Rate-based rule to mitigate Web layer DDoS attacks?" It does say "Yes. This new rules type is designed to protect you from use cases such web-layer DDoS attacks, brute force login attempts and bad bots." Reference: https://aws.amazon.com/waf/faqs/

Mike_1

All answer looks good. But since question emphasizes on "edge location" enhanced security, BC it is.

jlggross

C might be correct but is a tricky one. When it comes to DDoS mitigation, the recommended solution is AWS Shield, but other services can also mitigate DDoS, such as AWS WAF.

rapatajonesOptions: BC

B and C

Benah

B and C is correct

Robert0Options: BC

B and C.

gg12345Options: BC

B and C

dcasabonaOptions: BC

B and C make sense to me.

hk436

B and C is my answer

sanjaym

Ans:BC 100%

mmelo

B and C

Haxor

I don't understand why everyone is saying B? If it is B, then surely your users can't access the instances, so instead it should be A and C, right?

apartha77

Ans > B&C... the ALB can be configured to access web server in private subnet

gondohwe

it dont matter if the web servers are in private subnets...the ALB facing the internet will receive requests...BC make a better choice

NANDY666

B and C

kalzht00

Should be B & C

devjava

Ans > B,C