nerdexam
CompTIA

CV0-003 · Question #703

A cloud security analyst needs to ensure the web servers in the public subnet allow only secure communications and must remediate any possible issue. The stateful configuration for the public web serv

The correct answer is B. Remove rules 1, 3, and 4.. To enforce secure-only communications on public web servers, the stateful firewall rules permitting insecure protocols such as HTTP (port 80) and Telnet (port 23) must be removed while keeping HTTPS (port 443) and secure management access.

Security

Question

A cloud security analyst needs to ensure the web servers in the public subnet allow only secure communications and must remediate any possible issue. The stateful configuration for the public web servers is as follows:

Which of the following actions should the analyst take to accomplish the objective?

Exhibit

CV0-003 question #703 exhibit

Options

  • ARemove rules 1, 2, and 5.
  • BRemove rules 1, 3, and 4.
  • CRemove rules 2, 3, and 4.
  • DRemove rules 3, 4, and 5.

How the community answered

(60 responses)
  • A
    18% (11)
  • B
    70% (42)
  • C
    3% (2)
  • D
    8% (5)

Why each option

To enforce secure-only communications on public web servers, the stateful firewall rules permitting insecure protocols such as HTTP (port 80) and Telnet (port 23) must be removed while keeping HTTPS (port 443) and secure management access.

ARemove rules 1, 2, and 5.

Removing rules 1, 2, and 5 would delete the HTTPS rule (rule 2), which would block legitimate encrypted web traffic and violate the objective of allowing secure communications.

BRemove rules 1, 3, and 4.Correct

Removing rules 1, 3, and 4 eliminates the inbound/outbound entries for unencrypted protocols - most likely HTTP on port 80, Telnet on port 23, and a third insecure rule - while retaining rule 2 (HTTPS on port 443) and rule 5 (SSH on port 22 for secure management). This configuration satisfies the requirement that only secure, encrypted communications are permitted through the stateful security policy for the public subnet.

CRemove rules 2, 3, and 4.

Removing rules 2, 3, and 4 eliminates the HTTPS rule (rule 2), which is the required encrypted channel for public web servers, leaving them unable to serve secure traffic.

DRemove rules 3, 4, and 5.

Removing rules 3, 4, and 5 leaves rule 1 (HTTP) active, which allows unencrypted traffic and fails to meet the requirement of permitting only secure communications.

Concept tested: Stateful security group rules for HTTPS-only web servers

Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html

Topics

#stateful firewall#DMZ#firewall rules#web server security

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice