CV0-003 · Question #703
A cloud security analyst needs to ensure the web servers in the public subnet allow only secure communications and must remediate any possible issue. The stateful configuration for the public web serv
The correct answer is B. Remove rules 1, 3, and 4.. To enforce secure-only communications on public web servers, the stateful firewall rules permitting insecure protocols such as HTTP (port 80) and Telnet (port 23) must be removed while keeping HTTPS (port 443) and secure management access.
Question
A cloud security analyst needs to ensure the web servers in the public subnet allow only secure communications and must remediate any possible issue. The stateful configuration for the public web servers is as follows:
Which of the following actions should the analyst take to accomplish the objective?
Exhibit
Options
- ARemove rules 1, 2, and 5.
- BRemove rules 1, 3, and 4.
- CRemove rules 2, 3, and 4.
- DRemove rules 3, 4, and 5.
How the community answered
(60 responses)- A18% (11)
- B70% (42)
- C3% (2)
- D8% (5)
Why each option
To enforce secure-only communications on public web servers, the stateful firewall rules permitting insecure protocols such as HTTP (port 80) and Telnet (port 23) must be removed while keeping HTTPS (port 443) and secure management access.
Removing rules 1, 2, and 5 would delete the HTTPS rule (rule 2), which would block legitimate encrypted web traffic and violate the objective of allowing secure communications.
Removing rules 1, 3, and 4 eliminates the inbound/outbound entries for unencrypted protocols - most likely HTTP on port 80, Telnet on port 23, and a third insecure rule - while retaining rule 2 (HTTPS on port 443) and rule 5 (SSH on port 22 for secure management). This configuration satisfies the requirement that only secure, encrypted communications are permitted through the stateful security policy for the public subnet.
Removing rules 2, 3, and 4 eliminates the HTTPS rule (rule 2), which is the required encrypted channel for public web servers, leaving them unable to serve secure traffic.
Removing rules 3, 4, and 5 leaves rule 1 (HTTP) active, which allows unencrypted traffic and fails to meet the requirement of permitting only secure communications.
Concept tested: Stateful security group rules for HTTPS-only web servers
Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html
Topics
Community Discussion
No community discussion yet for this question.
