SCS-C03 · Question #130
SCS-C03 Question #130: Real Exam Question with Answer & Explanation
The correct answer is A: Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.. In a properly segmented VPC architecture, public subnets route internet-bound traffic to an internet gateway, while private subnets route outbound internet traffic through a NAT gateway that resides in a public subnet. According to the AWS Certified Security - Specialty Official
Question
A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone). The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC. Which combination of steps should the security engineer take to remediate this scenario? (Select TWO.)
Options
- AVerify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
- BVerify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
- CModify the route tables that are associated with each of the public subnets. Create a new route
- DModify the route tables that are associated with each of the private subnets. Create a new route
- EModify the route tables that are associated with each of the private subnets. Create a new route
Explanation
In a properly segmented VPC architecture, public subnets route internet-bound traffic to an internet gateway, while private subnets route outbound internet traffic through a NAT gateway that resides in a public subnet. According to the AWS Certified Security - Specialty Official Study Guide and Amazon VPC documentation, private subnets must never have a direct route to an internet gateway. The issue described indicates that private subnets are incorrectly routing traffic directly to the internet gateway. To remediate this, a NAT gateway must be provisioned in each public subnet to ensure high availability across Availability Zones. This satisfies the requirement that private resources can initiate outbound connections without being directly reachable from the internet. Next, the route tables associated with the private subnets must be updated so that the default route (0.0.0.0/0) points to the NAT gateway in the same Availability Zone. This ensures proper traffic flow and prevents cross-AZ dependencies.
Community Discussion
No community discussion yet for this question.