Which combination of steps meets these requirements?

By:
On:
In: SAA-C02
Tagged:
With: 0 Comments
A company is planning on deploying a newly built application on AWS in a default VPC.The application will consist of a web layer and database layer.The web server was created in public subnets, and the MySQL database was created in private subnets.All subnets are created with the default network ACL settings, and the default security group in the VPC will be replaced with new custom security groups.The following are the key requirements:✑ The web servers must be accessible only to users on an SSL connection.✑ The database should be accessible to the web layer, which is created in a public subnet only.✑ All traffic to and from the IP range 182.20.0.0/16 subnet should be blocked.

Which combination of steps meets these requirements?

(Choose two.)

Create a database server security group with inbound and outbound rules for MySQL port 3306 traffic to and from anywhere (0 0.0.0/0).

Create a database server security group with an inbound rule for MySQL port 3306 and specify the source as a web server security group.

Create a web server security group with an inbound allow rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0) and an inbound deny rule for IP range 182.20.0.0/16.

Create a web server security group with an inbound rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0). Create network ACL inbound and outbound deny rules for IP range 182.20.0.0/16.

Create a web server security group with inbound and outbound rules for HTTPS port 443 traffic to and from anywhere (0.0.0.0/0). Create a network ACL inbound deny rule for IP range 182.20.0.0/16.

Explanations:

Allowing inbound and outbound MySQL traffic (port 3306) from anywhere (0.0.0.0/0) is insecure and violates the requirement that the database should only be accessible to the web layer.

Creating a database security group with an inbound rule for MySQL port 3306 and specifying the source as the web server security group ensures that only the web servers can access the database, meeting the security requirement.

While it correctly specifies HTTPS traffic, allowing inbound traffic for HTTPS from anywhere (0.0.0.0/0) does not restrict it to SSL connections only, and the deny rule for IP range 182.20.0.0/16 is unnecessary as security groups do not support deny rules.

Creating an inbound rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0) is correct, and using network ACLs to deny traffic from the IP range 182.20.0.0/16 effectively blocks that range, complying with all requirements.

While it allows HTTPS traffic, creating inbound and outbound rules for port 443 to/from anywhere (0.0.0.0/0) does not enforce the SSL connection requirement properly. Network ACLs cannot override security group rules, and there’s no need for outbound deny rules.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 + 5 =