SCS-C03 Question #102: Real Exam Question with Answer & Explanation

Question

A public subnet contains two Amazon EC2 instances. The subnet has a custom network ACL. A security engineer is designing a solution to improve the subnet security. The solution must allow outbound traffic to an internet service that uses TLS through port 443. The solution also must deny inbound traffic that is destined for MySQL port 3306. Which network ACL rule set meets these requirements?

Options

• AUse inbound rule 100 to allow traffic on TCP port 443. Use inbound rule 200 to deny traffic on
• BUse inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on
• CUse inbound rule 100 to allow traffic on TCP port range 1024-65535. Use inbound rule 200 to
• DUse inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on

Explanation

In a network ACL, rules are processed in order, so the numbering of the rules is important. The solution requires: Outbound traffic on port 443 (TLS) to reach an internet service. Inbound traffic on port 3306 (MySQL) to be denied. The correct rule set: Inbound rule 100 denies traffic on TCP port 3306 to block MySQL access. Inbound rule 200 allows TCP port range 1024-65535, which is required for ephemeral ports used in response to outbound connections on port 443. Outbound rule 100 allows TCP port 443, permitting the required outbound traffic. This configuration meets the requirements by ensuring that only traffic initiated outbound on port 443 can receive responses on ephemeral ports, and inbound MySQL traffic on port 3306 is denied.

No community discussion yet for this question.