Which of the following accurately reflects the access control mechanisms the Architect should verify?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers.The following summary describes the architecture:1.An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.2.Database, application, and web servers are configured on three different private subnets.3.The VPC has two route tables: one for the public subnet and one for all other subnets.The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway.The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway.All private subnets can route to each other.4.Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.5.There are 3 Security Groups (SGs): database, application, and web.Each group limits all inbound and outbound connectivity to the minimum required.

Which of the following accurately reflects the access control mechanisms the Architect should verify?

Outbound SG configuration on database servers Inbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet

Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet

Explanations:

This option suggests checking the outbound SG configuration on database servers, which is not necessary as database servers do not initiate connections. Instead, the inbound configuration should be verified to allow traffic from application servers. Additionally, it correctly includes checking the inbound SG on application servers and network ACLs, but the focus is misplaced.

This option accurately identifies the need to verify the inbound SG configuration on database servers to allow connections from application servers. It also includes checking the outbound SG on application servers, which is crucial for ensuring they can send requests to the database servers. Furthermore, it appropriately addresses the need to check both inbound and outbound network ACLs for the respective subnets.

This option suggests checking both inbound and outbound SG configurations on database servers, which is unnecessary as database servers should only require inbound rules to allow traffic from application servers. It also states the need for inbound network ACL configuration on the database subnet, which is not specific enough without mentioning outbound rules.

This option correctly identifies the need for inbound SG configuration on database servers and outbound SG configuration on application servers. However, it fails to mention the need to verify inbound and outbound rules for network ACLs on both the database and application server subnets, which is crucial for overall connectivity.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − five =