AWS Certified Security – Specialty SCS-C01 – Question155

A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:

  1. An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.
  2. Database, application, and web servers are configured on three different private subnets.
  3. The VPC has two route tables: one for the public subnet and one for all other subnets. The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway. The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway. All private subnets can route to each other.
  4. Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
  5. There are 3 Security Groups (SGs): database, application, and web. Each group limits all inbound and outbound connectivity to the minimum required.

Which of the following accurately reflects the access control mechanisms the Architect should verify?

A.
Outbound SG configuration on database servers
Inbound SG configuration on application servers
Inbound and outbound network ACL configuration on the database subnet
Inbound and outbound network ACL configuration on the application server subnet
B. Inbound SG configuration on database servers
Outbound SG configuration on application servers
Inbound and outbound network ACL configuration on the database subnet
Inbound and outbound network ACL configuration on the application server subnet
C. Inbound and outbound SG configuration on database servers
Inbound and outbound SG configuration on application servers
Inbound network ACL configuration on the database subnet
Outbound network ACL configuration on the application server subnet
D. Inbound SG configuration on database servers
Outbound SG configuration on application servers
Inbound network ACL configuration on the database subnet
Outbound network ACL configuration on the application server subnet

Correct Answer: C