SAA-C03 · Question #242
SAA-C03 Question #242: Real Exam Question with Answer & Explanation
The correct answer is D: Add adeny outbound ruleto thecustom network ACL for the Application A subnet. Configure the. The requirement is toprevent Application A from sending traffic to Application B. Understanding AWS Network Security Components: Stateful(if traffic is allowed in one direction, it is automatically allowed in the reverse). Do not support explicit deny rules, onlyallow rules. Not
Question
A company runsmultiple applications on Amazon EC2 instances in a VPC. Application Aruns in aprivate subnetthat has acustom route table and network ACL. Application Bruns in asecond private subnet in the same VPC. The company needs to prevent Application A from sending traffic to Application B. Which solution will meet this requirement?
Options
- AAdd adeny outbound ruleto asecurity group associated with Application B. Configure the rule
- BAdd adeny outbound ruleto asecurity group associated with Application A. Configure the rule
- CAdd adeny outbound ruleto thecustom network ACL for the Application B subnet. Configure the
- DAdd adeny outbound ruleto thecustom network ACL for the Application A subnet. Configure the
Explanation
The requirement is toprevent Application A from sending traffic to Application B. Understanding AWS Network Security Components: Stateful(if traffic is allowed in one direction, it is automatically allowed in the reverse). Do not support explicit deny rules, onlyallow rules. Not suitable for blocking traffic in this scenario. Network ACLs (NACLs) Stateless(must define explicit rules for both inbound and outbound traffic). Support explicit DENY rules. Best suited for blocking traffic between subnets. Analysis of the Options: Option A: Deny Outbound Rule in Security Group for Application B (Incorrect) Security Groups do not support explicit deny rules. Does not block traffic from Application A to Application B. Option B: Deny Outbound Rule in Security Group for Application A (Incorrect) Security Groups do not support explicit deny rules. Cannot effectively prevent Application A from sending traffic to Application B. Option C: Deny Outbound Rule in NACL for Application B Subnet (Incorrect) This wouldprevent Application B from sending traffic, butthe requirement is to block traffic from Application A to Application B. Incorrect subnet is being modified. Option D: Deny Outbound Rule in NACL for Application A Subnet (Correct Choice) Prevents Application A from sending traffic to Application B by blocking outbound requests at the Effectively stops communication from A to B at the subnet level. Why Option D is the Best Choice? NACLs support explicit deny rules, unlike security groups. Blocks outbound traffic from Application A before it reaches Application B. Works at the subnet level, making it scalable.
Community Discussion
No community discussion yet for this question.