Questions 46 to 48

Explanations for questions 46 to 48

We'll cover the following

Question 46
Question 47
Question 48

Question 46

A bespoke application consisting of three tiers is being deployed in a VPC. You need to create three security groups. You have configured the WebSG (web server) security group and now need to configure the AppSG (application tier) and DBSG (database tier). The application runs on port 1030, and the database runs on 3306.

Which rules should be created according to security best practice? (Select TWO)

On the DBSG security group, create a custom TCP rule for TCP 3306, and configure the AppSG security group as the source.
On the AppSG security group, create a custom TCP rule for TCP 1030, and configure the WebSG security group as the source.
On the AppSG security group, create a custom TCP rule for TCP 1030, and configure the DBSG security group as the source.
On the DBSG security group, create a custom TCP rule for TCP 3306, and configure the WebSG security group as the source.
On the WebSG security group, create a custom TCP rule for TCP 1030, and configure the AppSG security group as the source.

Correct Answer: 1, 2

Explanation: With security groups, rules are always allow rules. The best practice is to configure the source as another security group that is attached to the EC2 instances from which traffic will come. In this case, you need to configure a rule that allows TCP 1030, and configure the source as the web server security group (WebSG). This allows traffic from the web servers to reach the application servers. You then need to allow communications on port 3306 (MYSQL/Aurora) from the AppSG security group to enable access to the database from the application servers.

CORRECT: “On the DBSG security group, create a custom TCP rule for TCP 3306, and configure the AppSG security group as the source.” is the correct answer.

CORRECT: “On the AppSG security group, create a custom TCP rule for TCP 1030, and configure the WebSG security group as the source.” is the second correct answer.

INCORRECT: “On the AppSG security group, create a custom TCP rule for TCP 1030, and configure the DBSG security group as the source.” is incorrect as the app tier will receive traffic from the web tier.

INCORRECT: “On the DBSG security group, create a custom TCP rule for TCP 3306, and configure the WebSG security group as the source.” is incorrect as the databases will be receiving traffic from the app servers.

INCORRECT: “On the WebSG security group, create a custom TCP rule for TCP 1030, and configure the AppSG security group as the source.” is incorrect as the web service will be receiving traffic from the Internet, presumably on standard HTTP/HTTPS ports. This web server security group has already been configured.

References:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.

Introduction

Getting Started

Compute

Storage

AWS Database

Migration

Networking and Content Delivery

Management Tools

Media Services

Analytics

AWS Security, Identity, & Compliance

Application Integration

AWS Desktop & App Streaming

Wrapping Up

Practice Exam 1

Practice Exam 1 Explanations

Practice Exam 2

Practice Exam 2 Explanations

Practice Exam 3

Practice Exam 3 Explanations

Practice Exam 4

Practice Exam 4 Explanations

Practice Exam 5

Practice Exam 5 Explanations

Practice Exam 6

Practice Exam 6 Explanations

Questions 46 to 48

Question 46