CCNA Network Security Governance Questions

75 of 421 questions · Page 5/6 · Network Security Governance topic · Answers revealed

301
MCQhard

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM role can be created without an approved custom trust policy. Which SCP should be attached to the root OU to enforce this requirement?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateRole","Resource":"*","Condition":{"StringNotEquals":{"aws:RequestTag/Approved":"true"}}}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateRole","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateRole","Resource":"arn:aws:iam::*:role/*","Condition":{"StringNotLike":{"iam:RoleName":"approved-*"}}}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:PassRole","Resource":"*"}]}
AnswerA

This SCP denies CreateRole unless the request includes a tag 'Approved' with value 'true', enforcing the requirement.

Why this answer

Option A is correct because it uses a Deny effect with a condition that only blocks IAM role creation when the request does not include a tag with key 'Approved' set to 'true'. This enforces that every new IAM role must have an approved custom trust policy by requiring the tag as a proxy for approval, while still allowing role creation when the tag is present. The SCP is attached to the root OU to apply globally across all accounts in the organization.

Exam trap

AWS often tests the distinction between using tags versus naming conventions or resource-based conditions to enforce governance, and candidates mistakenly choose naming-based conditions (Option C) thinking they can enforce policy approval, but tags are the only reliable way to pass metadata at creation time that can be evaluated by SCPs.

How to eliminate wrong answers

Option B is wrong because it denies all iam:CreateRole actions unconditionally, which would prevent any IAM role from being created at all, even those with an approved trust policy, thus violating the requirement to allow approved roles. Option C is wrong because it uses a condition on the role name pattern 'approved-*', which is a naming convention and does not enforce an approved custom trust policy; roles could be named 'approved-*' without having an approved trust policy, and roles with a different name but an approved policy would be blocked. Option D is wrong because it denies iam:PassRole, which controls the ability to pass an existing role to an AWS service, not the creation of a new role; this does not address the requirement to restrict role creation based on trust policy approval.

302
Drag & Dropmedium

Order the steps to troubleshoot an inter-Region VPC peering connection that is not working:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First verify peering status, then check routes, then security groups/ACLs, then test, then use flow logs.

303
MCQeasy

A company has a VPC with public and private subnets. The security team wants to allow instances in a private subnet to download software updates from the internet but prevent inbound internet traffic. Which AWS service should be used?

A.Internet gateway
B.AWS Site-to-Site VPN
C.VPC peering connection
AnswerD

NAT gateway enables outbound internet traffic from private subnets.

Why this answer

A NAT gateway allows outbound internet traffic from private subnets while blocking unsolicited inbound traffic. Option C is correct. Option A is wrong because internet gateway allows bidirectional traffic.

Option B is wrong because VPC peering is for VPC-to-VPC. Option D is wrong because VPN is for hybrid connectivity.

304
MCQmedium

A security engineer must ensure that all traffic between an application running on Amazon EC2 and an Amazon RDS database is encrypted in transit. The VPC has a public subnet for the EC2 instance and a private subnet for the RDS database. What is the MOST secure way to enforce encryption for this traffic?

A.Enable IAM database authentication for the RDS instance.
B.Use a security group rule that allows traffic only on port 443.
C.Configure the RDS DB instance to require SSL/TLS connections and configure the application to connect using SSL.
D.Place both the EC2 instance and the RDS database in the same subnet and use a network ACL to enforce encryption.
AnswerC

Enabling SSL/TLS on RDS ensures that all connections to the database are encrypted in transit.

Why this answer

Option D is correct because enabling IAM database authentication does not enforce encryption in transit; it only controls access. Option A is incorrect because requiring SSL/TLS for the database connection ensures encryption between the client and the database. Option B is incorrect because a security group cannot enforce encryption; it only controls traffic at the network layer.

Option C is incorrect because a network ACL is stateless and cannot enforce encryption.

305
MCQeasy

A security team requires that all traffic between Amazon EC2 instances in different subnets of a VPC be logged. Which AWS service should be used to capture and log the traffic?

A.VPC Flow Logs
B.AWS CloudTrail
C.VPC Traffic Mirroring
D.AWS Config
AnswerA

VPC Flow Logs capture network traffic metadata and can be logged to CloudWatch Logs or S3.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information and can be published to CloudWatch Logs or S3. Option A is wrong because AWS CloudTrail logs API calls, not network traffic. Option C is wrong because VPC Traffic Mirroring captures traffic for analysis but is not primarily for logging.

Option D is wrong because AWS Config tracks resource configuration changes.

306
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application must be accessible only from a specific AWS Client VPN endpoint. The security team has configured the ALB security group to allow inbound traffic from the Client VPN CIDR range, but users report that they can still access the application from outside the VPN. What is the MOST likely cause of this issue?

A.The ALB security group is not set as the source for inbound traffic; instead, traffic reaches the ALB directly from the internet.
B.The network ACL is stateless and requires separate inbound and outbound rules for return traffic.
C.The subnet's network ACL allows inbound HTTP/HTTPS traffic from 0.0.0.0/0.
D.The EC2 instances' security group allows inbound traffic from 0.0.0.0/0.
AnswerA

If the ALB security group does not restrict inbound traffic, traffic can bypass the Client VPN.

Why this answer

Option A is correct because the ALB security group is configured to allow inbound traffic from the Client VPN CIDR range, but if the ALB itself is internet-facing (i.e., it has public IP addresses and is deployed in public subnets), traffic can bypass the security group rules if the security group is not actually applied to the ALB's network interfaces. The most likely cause is that the ALB security group is not set as the source for inbound traffic; instead, traffic reaches the ALB directly from the internet, meaning the security group rules are not being enforced on the ALB's listener. This allows users outside the VPN to access the application because the ALB accepts traffic from any source unless the security group explicitly restricts it.

Exam trap

The trap here is that candidates assume the ALB security group is automatically enforced, but Cisco tests the nuance that an internet-facing ALB can still receive traffic from the internet if the security group is not properly applied or if the ALB is not configured to restrict traffic to the VPN CIDR.

How to eliminate wrong answers

Option B is wrong because network ACLs are stateless and require separate inbound and outbound rules, but this does not explain why users outside the VPN can access the application; network ACLs operate at the subnet level and would affect all traffic, not just VPN traffic. Option C is wrong because even if the subnet's network ACL allows inbound HTTP/HTTPS traffic from 0.0.0.0/0, the ALB security group should still block non-VPN traffic; the security group is the primary control for the ALB, and a permissive NACL does not override a restrictive security group. Option D is wrong because the EC2 instances' security group allowing inbound traffic from 0.0.0.0/0 is irrelevant if the ALB is the entry point; the ALB terminates the client connection and forwards traffic to the instances, so the instances' security group only needs to allow traffic from the ALB's security group, not from the internet.

307
MCQhard

A company is designing a multi-account architecture. They need to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the security account. The logs must be encrypted at rest using a customer-managed KMS key in the security account. Which combination of steps is required?

A.Configure the S3 bucket policy to allow the log accounts to write; encryption is automatic with SSE-S3.
B.Create a KMS key in each account and configure the S3 bucket to use each key.
C.Configure the KMS key policy to allow the log-producing accounts to use the key, and the S3 bucket policy to allow those accounts to write.
D.Create a KMS key in the security account with no key policy changes; use bucket policies to allow cross-account writes.
AnswerC

Cross-account KMS requires key policy; bucket policy allows writes.

Why this answer

Option D is correct because cross-account KMS access requires a KMS key policy that grants the log-producing accounts permission to use the key, and the S3 bucket policy must allow cross-account writes. Option A is wrong because using a single KMS key with cross-account access requires key policy. Option B is wrong because a CMK in each account would not be centralized.

Option C is wrong because S3 bucket policy alone does not handle encryption permissions.

308
MCQeasy

A security engineer needs to ensure that all internet-bound traffic from a VPC is inspected by a third-party firewall appliance before reaching the internet. The firewall is deployed in a separate VPC. Which AWS service should the engineer use to route traffic from the source VPC to the firewall VPC?

A.AWS Transit Gateway with a route table that points the default route (0.0.0.0/0) to the firewall VPC attachment.
B.VPC Gateway Endpoint for the firewall service.
C.AWS PrivateLink to connect to the firewall service in the other VPC.
D.VPC Peering connection between the two VPCs with a route table entry that sends internet traffic to the peering connection.
AnswerA

Transit Gateway enables transitive routing between VPCs, allowing internet-bound traffic to be inspected by the firewall.

Why this answer

Option A is correct because Transit Gateway supports routing between VPCs and can direct internet-bound traffic through a firewall VPC. Option B is wrong because VPC Peering does not support transitive routing. Option C is wrong because a VPC endpoint is for accessing AWS services privately.

Option D is wrong because a PrivateLink is for accessing services in another VPC, not for routing traffic.

309
MCQmedium

A security engineer is designing a hybrid network with an AWS Site-to-Site VPN. The company requires that all traffic between the on-premises network and VPC be encrypted in transit. Which configuration ensures this requirement is met?

A.Use VPC peering instead of VPN
B.Use AWS Direct Connect with MACsec
C.Deploy a Transit Gateway with route tables
D.Use AWS Site-to-Site VPN with IPsec tunnels
AnswerD

Site-to-Site VPN encrypts all traffic via IPsec.

Why this answer

Site-to-Site VPN uses IPsec tunnels to encrypt traffic. Option C is correct because the VPN connection inherently encrypts all traffic. Option A is wrong because VPC peering does not provide encryption.

Option B is wrong because Direct Connect does not encrypt by default. Option D is wrong because Transit Gateway does not itself provide encryption.

310
Multi-Selecthard

A company is using AWS Direct Connect to connect their on-premises network to AWS. They need to ensure that traffic from a specific on-premises subnet can only access a specific VPC subnet. Which two components must be configured? (Choose two.)

Select 2 answers
A.VPN connection
B.Route tables with specific routes
C.Public virtual interface (VIF)
D.Private virtual interface (VIF)
E.Transit virtual interface (VIF)
AnswersB, D

Route tables ensure traffic from on-premises is directed to the correct VPC subnet.

Why this answer

Options A and D are correct. A private VIF is required for accessing VPCs, and a route table with specific routes ensures traffic from the on-premises subnet is directed to the correct VPC subnet. Option B is wrong because a public VIF is for public AWS endpoints.

Option C is wrong because a VPN connection is not needed with Direct Connect. Option E is wrong because a transit VIF is for connecting to multiple VPCs via a transit gateway, not for a single VPC subnet.

311
MCQmedium

A company is deploying a web application behind an Application Load Balancer (ALB). The application must only accept traffic from the ALB. Which security group configuration should be used for the EC2 instances?

A.Allow inbound from 0.0.0.0/0 on port 80
B.Allow inbound from the ALB security group on port 80
C.Allow inbound from the ALB's private IP addresses on port 80
D.Allow inbound from the VPC CIDR on port 80
AnswerB

Only ALB can reach the instances.

Why this answer

Option C is correct because the security group for EC2 instances should allow inbound traffic from the ALB's security group. Option A is wrong because allowing 0.0.0.0/0 is insecure. Option B is wrong because VPC CIDR may include other sources.

Option D is wrong because the ALB's private IPs are dynamic.

312
MCQhard

A security team is designing a network architecture that must meet PCI DSS compliance. They have a VPC with multiple subnets and need to ensure that all traffic between subnets is inspected by a stateful firewall. The solution must also support scalability and high availability. Which AWS service should they use?

A.AWS Network Firewall
B.Security groups on each subnet
C.AWS WAF
D.Network ACLs on each subnet
AnswerA

Provides stateful network inspection, scales, and is highly available.

Why this answer

Option B is correct. AWS Network Firewall provides stateful inspection, scales automatically, and is highly available. Option A is wrong because security groups are stateless? Actually, security groups are stateful, but they are not a firewall appliance for inspection; they are simple rules.

Option C is wrong because Network ACLs are stateless. Option D is wrong because AWS WAF is for web application layer, not network layer.

313
MCQeasy

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to centrally inspect and filter traffic between VPCs using a third-party firewall appliance. Which architecture should be used?

A.AWS PrivateLink endpoints in each VPC
B.AWS Network Firewall deployed in each VPC
C.VPC peering between each VPC and the inspection VPC
D.Transit Gateway with appliance mode and a dedicated inspection VPC
AnswerD

Transit Gateway appliance mode enables symmetric routing for inspection.

Why this answer

Transit Gateway with appliance mode enables asymmetric routing and forces traffic to the inspection VPC. Option A is wrong because VPC peering does not centralize inspection. Option C is wrong because AWS Network Firewall is a managed service, not a third-party appliance.

Option D is wrong because PrivateLink is for service access, not traffic inspection.

314
MCQmedium

A security engineer runs tcpdump on an EC2 instance (10.0.1.5) and sees the output above. The instance is in a private subnet with a security group that allows inbound HTTPS from 0.0.0.0/0. The instance is behind a Network Load Balancer (NLB) that has a public IP. The engineer is unable to establish an HTTPS connection from the internet. What is the most likely cause?

A.The NLB is not preserving the source IP, so the security group is blocking the traffic.
B.The NLB's target group health checks are failing, causing the NLB to consider the instance unhealthy.
C.The instance's operating system firewall is blocking the connection.
D.The security group is blocking inbound traffic from the NLB.
AnswerB

The tcpdump shows the handshake from the NLB, but if health checks fail, the NLB stops sending traffic.

Why this answer

The tcpdump output shows the NLB's health check traffic (SYN packets from the NLB's private IPs) reaching the instance, but the engineer cannot establish an HTTPS connection from the internet. If the target group health checks are failing, the NLB marks the instance as unhealthy and stops forwarding traffic to it, which would prevent any internet HTTPS connections from reaching the instance. This is the most likely cause because the security group allows inbound HTTPS from 0.0.0.0/0, and the NLB does not preserve source IP by default, so the security group is not blocking traffic from the internet.

Exam trap

AWS often tests the misconception that security group rules are the primary cause of connectivity issues with NLBs, but the real trap is that candidates overlook how NLB health checks directly control traffic forwarding, and a failing health check silently drops all traffic even when security groups and routes are correctly configured.

How to eliminate wrong answers

Option A is wrong because the NLB does not preserve source IP by default (it uses its own private IPs as the source), so the security group allowing inbound HTTPS from 0.0.0.0/0 would still permit traffic from the NLB's private IPs; the issue is not about source IP preservation blocking traffic. Option C is wrong because the tcpdump output shows the instance is receiving SYN packets (health checks), indicating the OS network stack is responding; if an OS firewall were blocking, the instance would not receive or respond to any packets, but the tcpdump shows incoming SYN packets. Option D is wrong because the security group explicitly allows inbound HTTPS from 0.0.0.0/0, which includes the NLB's private IPs; the security group is not blocking traffic from the NLB.

315
MCQmedium

A company wants to audit all Network Load Balancer (NLB) operations performed in their AWS account. Which AWS service should they use?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.VPC Flow Logs
AnswerA

CloudTrail records API calls for auditing.

Why this answer

Option C is correct because AWS CloudTrail records API calls for AWS services, including NLB. Option A is wrong because VPC Flow Logs capture network traffic, not API operations. Option B is wrong because Config records resource configurations, not API calls.

Option D is wrong because CloudWatch Logs stores logs but does not capture API calls natively.

316
MCQhard

A company has a VPC with a VPN connection to an on-premises data center. They want to ensure that traffic between the VPC and on-premises is encrypted and authenticated. Which two components are required to establish the VPN tunnel?

A.AWS Direct Connect and Direct Connect Gateway
B.Virtual Private Gateway and Customer Gateway
C.Internet Gateway and NAT Gateway
D.Transit Gateway and VPN Attachment
AnswerB

VPG and CGW are the required endpoints for a VPN connection.

Why this answer

Option B is correct because a Virtual Private Gateway (VPG) is the AWS-side endpoint, and a Customer Gateway (CGW) represents the on-premises router. Option A (Internet Gateway) is for internet traffic. Option C (Direct Connect) is a different service.

Option D (Transit Gateway) is optional.

317
MCQeasy

A company is using AWS Shield Advanced to protect against DDoS attacks. The security team wants to receive notifications when an attack is detected. Which service should be used to send these notifications?

A.AWS Lambda
B.AWS Config
C.Amazon SQS
D.Amazon SNS
AnswerD

SNS can send notifications via email, SMS, etc., triggered by CloudWatch Events.

Why this answer

AWS Shield Advanced integrates with CloudWatch to send metrics and events. CloudWatch Events (now Amazon EventBridge) can trigger SNS notifications. Option A is wrong because SQS is a queue, not a notification service.

Option C is wrong because Lambda is compute, not notification. Option D is wrong because Config is for configuration compliance.

318
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to connect to the internet for patching. The security team wants to minimize the attack surface. Which solution should be used?

A.Set up a proxy server in the public subnet
B.Attach an Internet Gateway to the private subnet
C.Create a NAT Gateway in the public subnet and update route tables
D.Use a VPN connection to the on-premises network
AnswerC

NAT Gateway provides secure outbound internet access.

Why this answer

Option B is correct because a NAT Gateway in the public subnet allows outbound internet traffic from private instances without allowing inbound traffic. Option A is wrong because an internet gateway directly attached to the private subnet would expose the instance. Option C is wrong because a proxy server adds complexity and is less secure than NAT Gateway.

Option D is wrong because a VPN is not needed for internet access.

319
MCQhard

A company has a VPC with public and private subnets. They launch an Application Load Balancer (ALB) in the public subnets and targets in private subnets. Security requirements dictate that the targets should only accept traffic from the ALB. Which security group configuration meets this requirement?

A.Set the target security group inbound rule to allow HTTP from 0.0.0.0/0.
B.Set the target security group inbound rule to allow HTTP from the ALB security group ID.
C.Set the target security group inbound rule to allow HTTP from the ALB's public IP address.
D.Set the target security group inbound rule to allow HTTP from the VPC CIDR.
AnswerB

This allows traffic only from the ALB's elastic network interfaces.

Why this answer

Option D is correct because referencing the ALB security group by ID in the target security group rule allows traffic from that specific SG, which is the best practice. Option A is wrong because that would allow traffic from any resource in the VPC. Option B is wrong because that would allow traffic from any source, not just ALB.

Option C is wrong because the ALB is not a source by its own IP; its traffic comes from its ENIs which belong to the ALB SG.

320
MCQmedium

A network engineer is troubleshooting connectivity issues between an on-premises network and an Amazon VPC over an AWS Direct Connect connection. The on-premises network uses BGP to advertise routes to the VPC. The VPC is associated with a virtual private gateway (VGW). The on-premises network can reach resources in the VPC, but VPC resources cannot reach on-premises resources. What is the most likely cause?

A.The virtual private gateway is not attached to the VPC.
B.The BGP session is not established.
C.The security group associated with the VPC resources is blocking inbound traffic from on-premises.
D.The VPC route tables do not have a route for the on-premises CIDR pointing to the virtual private gateway.
AnswerD

Without a route, VPC traffic destined for on-premises will not be routed to the Direct Connect.

Why this answer

Option C is correct because if the VPC's route tables do not have a route pointing to the virtual private gateway for the on-premises CIDR, traffic from the VPC will not be sent over the Direct Connect. Option A is incorrect because BGP is used for route exchange; if on-premises can reach VPC, BGP is working. Option B is incorrect because security groups are stateful and allow return traffic.

Option D is incorrect because the virtual private gateway needs to propagate routes to VPC route tables.

321
MCQeasy

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which policy type should be used?

A.Configure a VPC endpoint policy
B.Configure a network ACL to block all traffic except from the VPC CIDR
C.Use an S3 access point with a network origin condition
D.Attach an S3 bucket policy with a condition for aws:SourceVpc
AnswerD

Bucket policies with aws:SourceVpc condition restrict access to traffic originating from the specified VPC.

Why this answer

S3 bucket policies support condition keys like aws:SourceVpc to restrict access to a specific VPC. Option C is correct because a bucket policy with a VPC condition is the direct method. Option A is wrong because VPC endpoint policies control what actions can be performed via the endpoint, but they do not replace the bucket policy.

Option B is wrong because S3 access points can have policies but are not required. Option D is wrong because network ACLs control traffic at the subnet level, not at the S3 layer.

322
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket for backups. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should be used?

A.Create a VPC Gateway Endpoint for S3 and attach a bucket policy allowing access from the VPC
B.Set up a proxy server in the public subnet and configure the EC2 instance to use it
C.Create a VPC Interface Endpoint for S3 and associate it with the private subnet
D.Place the EC2 instance in a public subnet with a public IP and use a NAT gateway
AnswerA

Cost-effective and private.

Why this answer

A VPC Gateway Endpoint for S3 allows private access to S3 without internet gateway or NAT. Option B is correct. Option A is wrong because a NAT gateway incurs costs and uses internet.

Option C is wrong because a VPC Interface Endpoint for S3 is more expensive and not required. Option D is wrong because a proxy server adds complexity and cost.

323
Multi-Selectmedium

A company is using AWS Organizations and wants to centrally manage and enforce the use of VPC endpoints for S3 across all accounts. Which THREE services/tools can be combined to achieve this?

Select 3 answers
A.VPC Flow Logs
B.AWS Config rules
C.AWS CloudFormation StackSets
D.AWS Service Control Policies (SCPs)
E.AWS Transit Gateway
AnswersB, C, D

Config rules can evaluate whether VPC endpoints exist and trigger remediation.

Why this answer

Option A (AWS Service Control Policy) can enforce that VPC endpoint creation is allowed or denied. Option C (AWS CloudFormation StackSets) can deploy VPC endpoints across multiple accounts. Option E (AWS Config rules) can detect non-compliant resources.

Option B is wrong because VPC Flow Logs do not enforce compliance. Option D is wrong because AWS Transit Gateway is for network connectivity, not policy enforcement.

324
Multi-Selectmedium

A company is designing a security group configuration for a three-tier web application (web, application, database). The web tier is accessible from the internet. Which TWO rules should be applied to meet security best practices?

Select 2 answers
A.App tier security group: inbound from 0.0.0.0/0 on port 8080.
B.Database tier security group: inbound from the web tier security group on port 3306.
C.App tier security group: inbound from the web tier security group on port 8080.
D.Web tier security group: inbound from 0.0.0.0/0 on port 443.
E.Database tier security group: inbound from 0.0.0.0/0 on port 3306.
AnswersC, D

The app tier should only accept traffic from the web tier.

Why this answer

For a three-tier architecture, the web tier security group should allow inbound from the internet (0.0.0.0/0 on HTTP/HTTPS). The app tier security group should allow inbound only from the web tier security group. The database tier should allow inbound only from the app tier security group.

Options A and C are correct. Option B (app tier from 0.0.0.0/0) is wrong. Option D (database tier from web tier) bypasses the app tier.

Option E (database tier from 0.0.0.0/0) is wrong.

325
MCQmedium

A company uses AWS WAF to protect its web application from common exploits. The security team notices that a specific IP address is generating a high volume of requests and should be blocked immediately. Which action should be taken?

A.Update the AWS WAF IP set rule to block the IP address
B.Add a rule to the security group to deny traffic from that IP
C.Add a network ACL rule to deny traffic from that IP in the subnet
D.Use AWS CloudFront geo-restriction to block the IP
AnswerA

WAF can block specific IPs at the application layer.

Why this answer

AWS WAF allows creating IP set rules to block specific IPs. Option C is correct. Option A is wrong because security groups are for VPC traffic, not HTTP-level.

Option B is wrong because NACLs are stateless and less flexible. Option D is wrong because CloudFront alone does not block IPs at the application layer.

326
MCQeasy

A security group is configured as shown. An EC2 instance in the same VPC with IP 10.0.1.50 can connect to the instance on port 443. An on-premises client with IP 203.0.113.5 cannot connect. What is the most likely reason?

A.The security group's outbound rules block return traffic
B.The protocol is incorrect; HTTPS uses UDP
C.The security group only allows traffic from the 10.0.0.0/16 CIDR
D.The security group has a deny rule for the on-premises IP
AnswerC

On-premises IP is not in that range.

Why this answer

Option D is correct because the security group only allows traffic from the 10.0.0.0/16 CIDR, which is the VPC range. On-premises traffic comes from outside that range. Option A is wrong because the protocol is correct.

Option B is wrong because there is no explicit deny, only implicit deny. Option C is wrong because security groups do not have outbound rules shown, but outbound is allow all by default.

327
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs. Security requirements mandate that traffic between VPCs must be inspected by a centralized firewall appliance in a dedicated inspection VPC. What is the MOST efficient way to route traffic to the inspection VPC?

A.Deploy AWS Network Firewall in each VPC and configure central logging
B.Use Transit Gateway multicast to replicate traffic to the inspection VPC
C.Configure Transit Gateway route tables with blackhole routes for inter-VPC traffic and a default route pointing to the inspection VPC attachment
D.Create VPC peering connections between all VPCs and the inspection VPC, then configure route tables to send traffic through the peering connection
AnswerC

Blackhole routes prevent direct inter-VPC communication, and the default route sends all traffic to the inspection VPC for inspection.

Why this answer

Option B is correct because Transit Gateway route tables with blackhole routes for inter-VPC traffic force traffic to the inspection VPC via a default route. Option A is wrong because VPC peering does not scale and lacks centralized inspection. Option C is wrong because it bypasses the firewall.

Option D is wrong because Network Firewall can inspect, but the question asks for routing to a firewall appliance in an inspection VPC.

328
Multi-Selectmedium

A company is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The security team needs to centrally manage and enforce network security policies across all accounts. Which TWO services or features can be used to centrally enforce network security controls? (Choose TWO.)

Select 2 answers
A.AWS Network Firewall
B.Network ACLs
C.AWS Firewall Manager
D.VPC Flow Logs
E.VPC security groups with cross-account references
AnswersA, C

Network Firewall can be centrally deployed and managed using Firewall Manager.

Why this answer

AWS Network Firewall is a managed service that provides stateful, application-layer filtering and intrusion prevention for VPCs. It can be centrally deployed and managed across multiple accounts using AWS Firewall Manager, enabling consistent enforcement of network security policies at scale.

Exam trap

AWS often tests the distinction between monitoring tools (like VPC Flow Logs) and enforcement tools (like AWS Network Firewall), leading candidates to mistakenly select VPC Flow Logs as a security control.

329
Multi-Selecteasy

A company is using Amazon S3 to store sensitive data. They want to ensure that data is encrypted at rest and that access is logged. Which TWO services should they enable?

Select 2 answers
A.AWS Config
B.S3 Server Access Logs
C.VPC Flow Logs
D.AWS CloudTrail
E.S3 Server-Side Encryption
AnswersB, E

Logs requests to S3.

Why this answer

Option B and D are correct: S3 Server-Side Encryption (SSE) encrypts data at rest; S3 Server Access Logs log requests. Option A is wrong because CloudTrail logs API calls but S3 access logs are more granular. Option C is wrong because VPC Flow Logs capture network traffic.

Option E is wrong because AWS Config records configuration changes.

330
MCQhard

A company has a VPC with multiple subnets across Availability Zones. An application uses a Network Load Balancer (NLB) to distribute traffic to instances. The security team notices that traffic from a specific client IP is being dropped. The NLB access logs show the client IP, but the target instances do not receive the traffic. What is the most likely cause?

A.The target group health checks are failing, so the NLB is not sending traffic to those targets
B.The target subnet network ACL blocks the client IP
C.The target instance security group does not allow traffic from the NLB
D.The NLB security group blocks the client IP
AnswerA

If health checks fail, the NLB marks the target as unhealthy and stops sending traffic.

Why this answer

NLB target group health checks might be failing, so the NLB does not send traffic to unhealthy targets. Option A is wrong because security groups on targets would drop traffic after NLB sends it. Option B is wrong because NLB does not have security groups.

Option C is wrong because NACLs on the target subnet affect traffic to the instance, but the NLB would still send traffic if the target is healthy.

331
MCQhard

A company has a hybrid network with an AWS Site-to-Site VPN connection to an on-premises data center. The network team wants to ensure that only encrypted traffic is sent over the internet between the two sites. The VPC has a virtual private gateway attached. When testing, they discover that some traffic is going over the internet without encryption. Which configuration change should be made to enforce encryption?

A.Add a static route in the VPC route table for the on-premises CIDR block pointing to the virtual private gateway.
B.Disable route propagation on the VPC route table to remove any dynamic routes from the VPN.
C.Enable IPsec acceleration on the VPN tunnel to ensure all traffic is encrypted.
D.Replace the virtual private gateway with a transit gateway and attach the VPN connection.
AnswerA

A static route forces traffic destined for on-premises through the VPN tunnel, ensuring encryption.

Why this answer

Option D is correct because adding a static route in the VPC route table pointing to the virtual private gateway forces traffic to the on-premises network through the VPN tunnel, ensuring encryption. Option A is wrong because disabling route propagation would remove dynamic routes, but the traffic might still use the internet gateway if a more specific route exists. Option B is wrong because the VPN tunnel already uses IPsec; the issue is routing.

Option C is wrong because the VPN connection uses a virtual private gateway, not a transit gateway.

332
MCQhard

A company needs to securely connect an on-premises data center to AWS using multiple VPN tunnels. The security team requires that all traffic between the VPC and on-premises be encrypted and that the tunnels use a second authentication mechanism beyond pre-shared keys. Which solution meets these requirements?

A.Use AWS Client VPN with mutual authentication
B.Use AWS Transit Gateway with VPN attachments and configure pre-shared keys
C.Use AWS VPN CloudHub with multiple VPN connections and configure certificate-based authentication for each tunnel
D.Use AWS Direct Connect with a public VIF and establish an IPsec VPN over the Direct Connect connection
AnswerC

CloudHub supports multiple tunnels and certificate-based authentication for enhanced security.

Why this answer

Option B is correct because AWS VPN CloudHub uses multiple VPN connections with BGP routing and supports certificate-based authentication with mutual TLS for enhanced security. Option A is wrong because Direct Connect does not provide encryption by default; VPN over Direct Connect adds encryption but not a second authentication factor beyond PSK. Option C is wrong because Client VPN is for individual clients, not site-to-site.

Option D is wrong because Transit Gateway with VPN attachments uses PSK by default; certificate-based authentication is not supported.

333
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to implement a centralized inspection architecture where all traffic between VPCs must be inspected by a security appliance (e.g., firewall) deployed in a dedicated inspection VPC. Currently, traffic flows directly between VPCs using the Transit Gateway. Which architecture change would enforce that all inter-VPC traffic passes through the inspection VPC?

A.Create VPC peering connections between each VPC and the inspection VPC, and remove the Transit Gateway attachments.
B.Configure the Transit Gateway to use separate route tables for each VPC attachment, with a default route pointing to the inspection VPC's attachment. Then, in the inspection VPC, route traffic back to the Transit Gateway for final delivery.
C.Use AWS Direct Connect Gateway to route traffic through the inspection VPC.
D.Deploy a Network Load Balancer in each VPC and configure it to forward traffic to the inspection VPC.
AnswerB

This design forces all inter-VPC traffic to traverse the inspection VPC for firewall inspection.

Why this answer

Option B is correct. By using Transit Gateway route tables, you can create separate route tables for each VPC attachment and propagate only a default route pointing to the inspection VPC. This forces all traffic to go through the inspection VPC.

Option A is incorrect because VPC peering does not integrate with Transit Gateway. Option C is incorrect because Network Load Balancer does not provide routing control. Option D is incorrect because Direct Connect is for on-premises connectivity, not for inter-VPC routing.

334
MCQmedium

A company uses AWS Organizations with SCPs to restrict access. The security team wants to ensure that no IAM user or role can disable AWS Shield Advanced protections. Which SCP effect should be used?

A.Deny in the IAM policy
B.Deny
C.Allow
D.Block
AnswerB

Deny in an SCP explicitly prohibits the specified actions.

Why this answer

Option C is correct because the Deny effect in an SCP explicitly prohibits actions. Option A is wrong because Allow in an SCP does not restrict, it only permits. Option B is wrong because Deny in an IAM policy is not as effective when SCPs are present; SCPs can override IAM allows.

Option D is wrong because there is no 'Block' effect in SCPs.

335
Multi-Selecteasy

A company is deploying a web application that must be accessible over HTTPS only. They are using an Application Load Balancer (ALB) with an SSL certificate from AWS Certificate Manager (ACM). Which TWO configurations are necessary to ensure that only HTTPS traffic reaches the application?

Select 2 answers
A.Configure the security group for the ALB to allow inbound traffic on port 80 from 0.0.0.0/0.
B.Configure the ALB listener to accept traffic on port 80.
C.Configure the security group for the ALB to allow inbound traffic on port 443 from 0.0.0.0/0.
D.Configure the ALB to redirect HTTP traffic to HTTPS.
E.Configure the ALB listener to accept traffic on port 443 using the SSL certificate.
AnswersC, E

This allows HTTPS traffic from the internet.

Why this answer

Options A and D are correct. The ALB listener must be configured for HTTPS on port 443, and the security group for the ALB should only allow inbound HTTPS traffic. Option B is wrong because HTTP listener is not needed.

Option C is wrong because the security group for instances should allow traffic from the ALB, not from the internet. Option E is wrong because redirecting HTTP to HTTPS is not sufficient if the listener accepts HTTP; the listener should not accept HTTP at all.

336
MCQeasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across the organization are encrypted with SSE-S3. Which control mechanism should they use?

A.Assign an IAM policy to all users that requires SSE-S3.
B.Configure a bucket policy on each bucket to deny writes without SSE-S3.
C.Create a service control policy (SCP) that denies PutBucketEncryption if the encryption is not SSE-S3.
D.Use AWS CloudTrail to monitor and alert on non-compliant bucket creations.
AnswerC

SCPs can enforce policies across all accounts in the organization.

Why this answer

Option A is correct because SCPs can deny actions that do not comply with encryption requirements. Option B is wrong because IAM policies are account-level and cannot enforce across all accounts. Option C is wrong because bucket policies are per-bucket.

Option D is wrong because CloudTrail is logging, not enforcement.

337
MCQhard

A security engineer created the S3 bucket policy shown. After applying it, users from the 10.0.0.0/16 network (VPC CIDR) are able to access objects, but external users from 203.0.113.0/24 receive 'Access Denied' even though they are using HTTPS. What is the likely cause?

A.The VPC endpoint policy for the S3 endpoint restricts access to the bucket.
B.The policy only allows 's3:GetObject' but the users are trying to list objects.
C.The policy does not include a 'Deny' statement for non-IP ranges.
D.The S3 bucket has 'Block public access' enabled, which overrides the policy.
AnswerA

Even if the bucket policy allows, the VPC endpoint policy can deny access, especially for external IPs routed through the endpoint?

Why this answer

The policy requires both conditions: source IP from either range AND SecureTransport true. For external users, the IP condition is satisfied, but the problem states they are using HTTPS, so SecureTransport is true. However, the 'Access Denied' suggests the policy is not being evaluated as expected.

Actually, the policy allows access only if both conditions are met. For external users, both conditions are met, so they should be allowed. But the external users get denied, meaning the policy might not be the only one.

However, the most likely cause is that the policy is missing a statement to explicitly deny all other traffic, or there is a bucket policy that denies. But given options, the most plausible is that the condition 'aws:SecureTransport' requires the request to be made over HTTPS; external users might be using HTTP? The stem says they use HTTPS. So perhaps the issue is that the VPC endpoint adds a source IP that is not 10.0.0.0/16? Actually, the policy allows from 10.0.0.0/16 and 203.0.113.0/24.

The external users are from 203.0.113.0/24, which is allowed. So why denied? Maybe the policy is attached to the bucket but there is also a VPC endpoint policy that denies. Option D is most likely: the VPC endpoint policy is blocking access.

Option A is wrong because all actions are allowed. Option B is wrong because the policy allows GetObject. Option C is wrong because public access could be blocked but the policy allows.

So D is correct.

338
MCQmedium

A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?

A.Create VPC peering connections between each application VPC and the inspection VPC, and add routes pointing to the peering connection.
B.Attach an internet gateway to each application VPC and add a default route pointing to the inspection VPC's NAT gateway.
C.Attach an internet gateway to each application VPC and add default route pointing to it.
D.Create a TGW route table with a blackhole route for 0.0.0.0/0 and associate it with application VPC attachments; attach the inspection VPC to a different TGW route table that has a route to the internet via an egress VPC.
AnswerD

This enforces traffic flow through inspection VPC.

Why this answer

Option D is correct because it uses separate Transit Gateway route tables to enforce traffic isolation: the application VPC attachments use a route table with a blackhole for 0.0.0.0/0, preventing direct internet access, while the inspection VPC uses a different route table with a route to an egress VPC that has an internet gateway. This ensures all outbound traffic from application VPCs must first traverse the inspection VPC for security monitoring before reaching the internet.

Exam trap

The trap here is that candidates often assume VPC peering or direct internet gateway attachments can be combined with Transit Gateway for centralized inspection, but they fail to recognize that Transit Gateway route tables are required to enforce traffic isolation and prevent direct internet access from application VPCs.

How to eliminate wrong answers

Option A is wrong because VPC peering does not support transitive routing; each peering connection is a one-to-one link, so traffic from one application VPC cannot be routed through the inspection VPC to another VPC or the internet without additional complex routing. Option B is wrong because an internet gateway attached to an application VPC would allow direct outbound traffic, bypassing the inspection VPC; the default route pointing to the inspection VPC's NAT gateway is invalid because a NAT gateway cannot be reached across a Transit Gateway without proper routing and the NAT gateway itself is not a routing target for a VPC's default route. Option C is wrong because attaching an internet gateway to each application VPC and adding a default route pointing to it directly sends traffic to the internet, completely bypassing the centralized inspection VPC.

339
MCQeasy

A company wants to securely store and manage secrets such as database passwords and API keys. They need to automatically rotate secrets every 30 days and ensure that only specific IAM roles can access them. Which AWS service should they use?

A.AWS Systems Manager Parameter Store
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS CloudHSM
AnswerC

Secrets Manager is designed for storing secrets with built-in rotation capability and fine-grained access control using IAM policies.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, managing, and automatically rotating secrets such as database passwords and API keys. It supports native rotation with AWS Lambda, enforces fine-grained access control via IAM roles, and can rotate secrets on a schedule (e.g., every 30 days) without custom scripting.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets securely but lacks native rotation) with AWS Secrets Manager, leading them to choose Parameter Store when automatic rotation is explicitly required.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it requires custom solutions (e.g., Lambda) to rotate values and lacks native secret rotation scheduling. Option B is wrong because AWS Key Management Service (KMS) is a key management service for encryption keys, not a secret store; it does not store secrets or provide rotation capabilities for passwords or API keys. Option D is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for cryptographic operations and key storage, but it does not store or manage application secrets like database passwords or API keys, nor does it offer automatic rotation.

340
MCQeasy

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The security team wants to ensure that traffic between the on-premises network and the VPC is encrypted using IPSec. Which solution meets this requirement?

A.Establish an IPSec VPN connection over the Direct Connect public virtual interface using a customer gateway and a virtual private gateway.
B.Use a private virtual interface (VIF) on the Direct Connect connection and enable encryption at the physical layer.
C.Use VPC endpoints (Gateway Endpoints) for all traffic between on-premises and the VPC.
D.Attach the Direct Connect virtual interface to a Transit Gateway and enable multicast.
AnswerA

This combination provides encrypted IPSec tunnels over the Direct Connect connection.

Why this answer

Option A is correct because it establishes an IPSec VPN tunnel over a Direct Connect public virtual interface (VIF), which encrypts traffic between the on-premises network and the VPC. The customer gateway and virtual private gateway create a site-to-site VPN connection that uses IPSec to secure all data traversing the Direct Connect link, meeting the encryption requirement without relying on physical-layer security.

Exam trap

The trap here is that candidates assume a private virtual interface inherently provides encryption, but Direct Connect private VIFs are unencrypted by default, and IPSec must be explicitly layered over a public VIF or via a VPN appliance.

How to eliminate wrong answers

Option B is wrong because private virtual interfaces do not support encryption at the physical layer; Direct Connect operates at Layer 2 and does not provide native encryption, and enabling encryption at the physical layer (e.g., MACsec) is not supported on Direct Connect private VIFs. Option C is wrong because VPC Gateway Endpoints (e.g., for S3 or DynamoDB) only provide private connectivity to specific AWS services, not general IPSec encryption for all traffic between on-premises and the VPC. Option D is wrong because attaching a Direct Connect virtual interface to a Transit Gateway and enabling multicast does not provide IPSec encryption; multicast is a separate feature for one-to-many communication, not for securing traffic.

341
MCQhard

A security engineer is configuring Network Access Control Lists (NACLs) for a VPC with multiple subnets. The engineer wants to block SSH access (port 22) from a specific IP range 10.0.0.0/8 to the entire VPC CIDR (172.16.0.0/16). What is the most effective approach?

A.Add inbound and outbound NACL rules denying SSH from 10.0.0.0/8
B.Add a security group rule to deny inbound SSH from 10.0.0.0/8
C.Add an inbound NACL rule denying SSH from 10.0.0.0/8
D.Add an outbound security group rule denying SSH to 10.0.0.0/8
AnswerA

NACL rules must be added for both directions due to stateless nature.

Why this answer

Option C is correct because NACLs are stateless, so you must add inbound and outbound rules for each direction. Option A is wrong because NACLs are subnet-level, not instance-level. Option B is wrong because a single rule cannot block both directions.

Option D is wrong because security groups are stateful and cannot block traffic based on source IP in the outbound rule easily.

342
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. The bucket policy should deny requests that do not originate from the VPC. Which condition key should be used in the bucket policy?

A.aws:SourceVpc
B.aws:VpcSourceIp
C.aws:Referer
D.aws:SourceIp
AnswerA

This condition key restricts access to a specific VPC.

Why this answer

The correct condition key is `aws:SourceVpc`, which allows you to restrict access to an S3 bucket based on the VPC from which the request originates. When used in a bucket policy with a Deny effect, it ensures that only requests coming from the specified VPC ID are allowed, and all other requests are denied. This key is specifically designed for VPC-based access control in S3 bucket policies.

Exam trap

AWS often tests the distinction between `aws:SourceVpc` and `aws:SourceIp` — the trap here is that candidates mistakenly choose `aws:SourceIp` thinking they can restrict by VPC by using the VPC's CIDR range, but this fails because requests from within the VPC may have different source IPs (e.g., private IPs or NAT public IPs) and cannot reliably identify the VPC.

How to eliminate wrong answers

Option B (`aws:VpcSourceIp`) is wrong because this condition key does not exist in AWS IAM; the correct key for VPC-based IP restrictions is `aws:VpcSourceIp` is not a valid condition key, and AWS uses `aws:SourceIp` for IP address-based restrictions, not VPC-level control. Option C (`aws:Referer`) is wrong because it is used to restrict access based on the HTTP Referer header, typically for preventing hotlinking from unauthorized websites, not for VPC-based access control. Option D (`aws:SourceIp`) is wrong because it restricts access based on the source IP address of the requester, which is not VPC-specific and cannot enforce that the request originates from a particular VPC, especially when traffic may come through NAT gateways or VPNs.

343
MCQmedium

A company is using AWS Direct Connect to connect its on-premises network to VPCs in multiple AWS accounts. The company wants to ensure that traffic from the on-premises network can only access specific VPCs based on the source IP address. Which AWS service should be used to enforce this segmentation?

A.VPC Peering
B.AWS Transit Gateway
C.AWS PrivateLink
D.Security Groups
AnswerB

Transit Gateway with route tables can enforce segmentation based on source IP.

Why this answer

Option B is correct because AWS Transit Gateway can use route tables to segment traffic between Direct Connect and multiple VPCs based on source IP. Option A is wrong because VPC Peering does not support source IP filtering. Option C is wrong because AWS PrivateLink is for accessing services within a VPC, not for routing.

Option D is wrong because Security Groups apply at the instance level, not to traffic from Direct Connect.

344
MCQmedium

A company is using Amazon VPC with a public subnet and a private subnet. The public subnet has a NAT gateway. The private subnet has an Amazon RDS for MySQL database. The security team wants to ensure that the database is not accessible from the internet, but they need to allow a specific on-premises network (IP range 203.0.113.0/24) to connect to the database for maintenance. The company also wants to restrict outbound traffic from the database to only necessary AWS services (e.g., S3 for backups) and deny all other outbound traffic. Which configuration should the security team implement?

A.Create a security group for the database that allows inbound from the on-premises network using a prefix list for 203.0.113.0/24. Create a VPC endpoint for S3 and allow outbound traffic to the endpoint. Keep the private subnet's network ACL default (allow all outbound).
B.Set up a Site-to-Site VPN between the on-premises network and the VPC. Modify the route tables to route 203.0.113.0/24 through the VPN. Place the database in a private subnet and allow inbound from the VPN CIDR. Use an internet gateway for outbound traffic to S3.
C.Modify the database security group to allow inbound TCP 3306 from 203.0.113.0/24. Create a VPC endpoint for S3. Update the private subnet's network ACL to deny all outbound traffic except to the S3 VPC endpoint prefix list.
D.Place the database in a public subnet and use a security group that allows inbound from 203.0.113.0/24. Use the NAT gateway for outbound traffic to S3. Configure the public subnet's network ACL to deny all outbound traffic except to S3.
AnswerC

This directly permits the required on-premises access and restricts outbound traffic to only S3 via VPC endpoint, which is secure and efficient.

Why this answer

Option A is correct because modifying the database security group to allow inbound from the on-premises CIDR directly is the simplest and most secure way. Using a VPC endpoint for S3 allows private connectivity. A custom network ACL on the private subnet can deny all outbound traffic except to the VPC endpoint.

Option B is wrong because a security group cannot reference another region's CIDR; also, allowing all outbound traffic to the VPC endpoint defeats the purpose. Option C is wrong because the NAT gateway is not needed for on-premises access; also, a security group cannot reference a prefix list for on-premises IPs. Option D is wrong because an internet gateway is not needed for on-premises access via VPN; also, allowing all outbound traffic to 0.0.0.0/0 is insecure.

345
Multi-Selectmedium

A company is designing a network security solution for a VPC that hosts a multi-tier web application. The web servers are in a public subnet, and the application servers are in a private subnet. The company wants to ensure that the web servers can only be accessed on port 443 from the internet, and the application servers can only be accessed from the web servers on port 3306. Which THREE components should be configured?

Select 3 answers
A.Network ACL on the public subnet allowing inbound 443 from 0.0.0.0/0
B.Network ACL on the public subnet allowing inbound 443 from 0.0.0.0/0 and outbound ephemeral ports
C.Network ACL on the private subnet allowing inbound 3306 from the public subnet CIDR
D.Security group for application servers allowing inbound 3306 from the web server security group
E.Security group for web servers allowing inbound 443 from 0.0.0.0/0
AnswersB, D, E

NACL on public subnet provides stateless filtering for inbound HTTPS and outbound responses.

Why this answer

Option A (Security group for web servers) allows inbound 443 from internet. Option D (Security group for application servers) allows inbound 3306 from web server security group. Option E (Network ACL on public subnet) can add a layer of stateless filtering.

Option B is wrong because a NACL on private subnet would allow all traffic unless explicitly denied, but the security group is the primary control. Option C is wrong because a NACL on the public subnet is acceptable, but for the private subnet, the security group is sufficient, and NACL is not required.

346
Multi-Selectmedium

A network engineer is troubleshooting connectivity issues between an EC2 instance and an RDS database in the same VPC. The EC2 instance can connect to the database, but the connection is slow. Which TWO actions should the engineer take to diagnose the issue? (Choose TWO.)

Select 2 answers
A.Verify the route table for the database subnet to ensure there is a default route to the internet.
B.Check the network ACL for the database subnet to ensure it is stateful.
C.Verify that the security group for the EC2 instance allows outbound traffic on the database port, and the database security group allows inbound from the EC2 instance.
D.Check VPC Flow Logs to analyze traffic patterns and identify drops or latency.
E.Check the route propagation settings on the VPC.
AnswersC, D

Security group misconfigurations can cause slow connections.

Why this answer

Options A and B are correct. Checking security group rules (A) ensures proper allow rules. Reviewing VPC Flow Logs (B) can reveal dropped packets or latency.

Option C is wrong because NACLs are stateless and may drop return traffic. Option D is wrong because the default route is not relevant to internal traffic. Option E is wrong because route propagation is for VPN/Direct Connect.

347
Multi-Selecteasy

A company wants to protect its web application running on Amazon EC2 behind an Application Load Balancer (ALB) from common web exploits like SQL injection and cross-site scripting (XSS). Which THREE AWS services should be used together to provide comprehensive protection?

Select 3 answers
A.AWS WAF
B.Amazon Route 53
C.AWS Shield
D.Amazon CloudFront
E.Application Load Balancer (ALB)
AnswersA, C, E

WAF helps protect against SQL injection, XSS, and other web exploits.

Why this answer

Option A (AWS WAF) protects against web exploits. Option B (ALB) is the endpoint. Option D (AWS Shield) provides DDoS protection.

Route 53 is DNS, not security. CloudFront can be used with WAF but is not a service for protection against web exploits itself.

348
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. The company wants to ensure that all outbound traffic is logged and that only specific destinations are allowed. Which solution meets these requirements?

A.Deploy a NAT gateway in a public subnet and enable VPC Flow Logs
B.Deploy a proxy server in a public subnet and configure the EC2 instance to use it
C.Deploy a NAT instance in a public subnet and enable VPC Flow Logs
D.Attach an internet gateway to the VPC and assign a public IP to the EC2 instance
AnswerA

NAT gateway provides outbound internet access and VPC Flow Logs capture traffic metadata for logging.

Why this answer

Option C is correct because a NAT gateway in a public subnet allows outbound internet access from private instances, and VPC Flow Logs can capture traffic metadata. Option A is wrong because a NAT instance can also work but requires manual management and does not inherently provide logging; Flow Logs still need to be enabled. Option B is wrong because a proxy in a public subnet would require additional configuration and is not the default AWS solution.

Option D is wrong because an internet gateway alone does not provide private subnet access.

349
MCQeasy

A company wants to block inbound traffic from a specific IP address range (203.0.113.0/24) at the VPC level using AWS WAF. Which resource should the AWS WAF web ACL be associated with?

A.Application Load Balancer
B.Network Load Balancer
C.VPC peering connection
D.Security group
AnswerA

AWS WAF can be associated with ALB to filter web traffic.

Why this answer

Option A is correct because AWS WAF can be associated with an Application Load Balancer to filter HTTP/HTTPS traffic. Option B is wrong because NLB does not support AWS WAF. Option C is wrong because VPC peering does not have a web ACL.

Option D is wrong because a security group is used for stateful filtering, but AWS WAF is a separate service for web traffic.

350
MCQhard

A company is designing a hub-and-spoke network in AWS. The security team requires that all traffic between VPCs in different spokes must be inspected by a third-party firewall deployed in the hub VPC. Which architecture meets this requirement with minimal complexity?

A.Create VPC peering connections between each spoke VPC and configure security groups to enforce inspection.
B.Use AWS PrivateLink to connect all spoke VPCs to a central service in the hub.
C.Use a Transit Gateway with separate route tables for each spoke VPC, and configure the spoke route tables to route all inter-spoke traffic through the hub VPC firewall.
D.Set up AWS Direct Connect between all VPCs and route through a central firewall.
AnswerC

This forces traffic through the inspection firewall.

Why this answer

Option A is correct because Transit Gateway with route tables in each spoke pointing default route to the hub VPC forces traffic through the firewall. Option B is wrong because VPC peering does not centralize inspection. Option C is wrong because AWS PrivateLink is for service access, not inter-VPC routing.

Option D is wrong because Direct Connect is for on-premises connectivity.

351
Multi-Selectmedium

A company is implementing a network security solution for a VPC that contains a web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The company wants to protect against common web exploits and also filter outbound traffic from the instances. Which TWO services should be used together?

Select 2 answers
A.AWS Shield Advanced
B.AWS WAF
C.AWS Network Firewall
D.Network ACLs
E.Amazon GuardDuty
AnswersB, C

WAF can be associated with the ALB to filter web requests.

Why this answer

Option A (AWS WAF) protects against web exploits at the ALB. Option D (AWS Network Firewall) provides stateful inspection for outbound traffic. Option B is wrong because Shield Advanced is for DDoS protection, not web filtering.

Option C is wrong because NACLs are stateless and not suitable for content filtering. Option E is wrong because GuardDuty is a threat detection service, not a firewall.

352
MCQhard

A company uses AWS Shield Advanced for DDoS protection. During an attack, they notice that legitimate traffic is being throttled. Which configuration change should be made to reduce false positives while maintaining protection?

A.Reduce the rate limit in the Shield Advanced configuration.
B.Increase the rate limit threshold in the associated AWS WAF rate-based rule.
C.Disable the AWS WAF rate-based rule for the duration of the attack.
D.Increase the sensitivity of the AWS WAF web ACL.
AnswerB

A higher threshold allows more legitimate traffic before throttling.

Why this answer

Option A is correct because adjusting the rate limit threshold in the AWS WAF rate-based rule associated with Shield Advanced can reduce false positives. Option B is wrong because disabling the rule removes protection. Option C is wrong because increasing the threshold on the web ACL is not a direct setting; rate limits are set per rule.

Option D is wrong because Shield Advanced does not use a separate rate limit setting.

353
MCQmedium

A company is designing a VPC with public and private subnets. They need to allow instances in the private subnet to access the internet for software updates while preventing inbound internet traffic. Which AWS service should they use?

B.AWS Direct Connect
C.VPC Peering
D.Internet Gateway
AnswerA

NAT Gateway enables outbound traffic to the internet from private subnets.

Why this answer

Option B is correct because a NAT Gateway allows outbound internet traffic from private subnets while blocking inbound traffic. Option A (Internet Gateway) would allow inbound traffic. Option C (VPC Peering) does not provide internet access.

Option D (Direct Connect) is a dedicated connection, not for internet access.

354
MCQeasy

A company is using AWS WAF to protect a web application behind an Application Load Balancer. They want to block requests from a specific IP address range. Which component should they use?

A.Security group associated with the ALB
B.IP set match condition in AWS WAF
C.AWS Shield Advanced
D.Network ACL on the ALB's subnets
AnswerB

AWS WAF uses IP sets to match IP addresses and can block them.

Why this answer

Option C is correct because AWS WAF has IP set match conditions that allow you to specify IP addresses to block or allow. Option A is wrong because security groups are stateful firewalls for EC2 instances, not for ALB. Option B is wrong because NACLs are stateless firewalls at the subnet level, not integrated with ALB.

Option D is wrong because AWS Shield Advanced is for DDoS protection, not IP-based blocking.

355
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which type of policy should they use?

A.S3 bucket policy with aws:SourceVpce condition
B.S3 bucket policy with aws:SourceIp condition
C.IAM policy
D.VPC endpoint policy
AnswerA

Bucket policies can restrict access based on VPC endpoint ID.

Why this answer

Option B is correct because S3 bucket policies can use conditions like aws:SourceVpce to restrict access to a specific VPC endpoint. Option A is wrong because IAM policies are for users/roles, not network-level restrictions. Option C is wrong because bucket policies cannot use aws:SourceIp for VPC endpoint traffic.

Option D is wrong because VPC endpoint policies apply to the endpoint itself, not to the S3 bucket.

356
MCQeasy

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application stores files in an S3 bucket. The security team wants to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. They have created an IAM role for the EC2 instances with a policy that grants s3:PutObject and s3:GetObject on the specific bucket. They have also attached a VPC endpoint for S3 to the VPC and added a bucket policy that allows access only from the VPC endpoint. Despite this, the EC2 instances can still access other S3 buckets. What is the most likely reason?

A.The VPC endpoint does not have a route table associated with the private subnets.
B.The security group on the VPC endpoint is allowing all traffic.
C.The VPC endpoint policy does not restrict access to the specific S3 bucket.
D.The IAM role does not have a trust policy that allows EC2 to assume it.
AnswerC

Without a restrictive endpoint policy, the VPC endpoint allows access to any S3 bucket, and if the instances have any other IAM policies (even default), they could access other buckets.

Why this answer

Option D is correct because the S3 bucket policy restricting access to the VPC endpoint only applies to that bucket, but the EC2 instances can still access other buckets if the IAM policy allows it, unless a VPC endpoint policy restricts access to only the specific bucket. Option A is wrong because the IAM policy only grants access to the specific bucket, but if the instances have other IAM policies attached, they might allow broader access. However, the question implies only this policy is attached.

Option B is wrong because the route table for the private subnets must have a route to the VPC endpoint for S3; if it doesn't, traffic would go through the NAT Gateway and not use the endpoint, but that would not allow access to other buckets if the IAM policy is restrictive. Actually, the most likely reason is that the VPC endpoint policy is not set to restrict access to only the specific bucket. Option C is wrong because the security group on the endpoint controls traffic to the endpoint, not what can be accessed through it.

357
Multi-Selecthard

A company is designing a network security architecture for a multi-account environment using AWS Organizations. They need to centrally manage and enforce security policies across all accounts. Which THREE services should they consider?

Select 3 answers
A.AWS Direct Connect
B.AWS Firewall Manager
C.AWS Security Hub
D.Amazon Route 53 Resolver DNS Firewall
E.AWS CloudTrail
AnswersB, C, E

Central management of firewall rules.

Why this answer

Option A, B, and C are correct: AWS Firewall Manager centrally manages firewall rules across accounts; AWS Security Hub provides a unified view of security alerts; AWS CloudTrail logs API calls across accounts. Option D is wrong because Amazon Route 53 Resolver DNS Firewall is not a central policy enforcement service. Option E is wrong because AWS Direct Connect is for connectivity, not policy enforcement.

358
MCQmedium

Refer to the exhibit. A security engineer applies this SCP to an AWS account. What is the effect of this policy?

A.All API calls over HTTPS will be allowed
B.Only S3 API calls will be affected
C.The policy requires multi-factor authentication
D.All API calls that are not made over HTTPS will be denied
AnswerD

The condition aws:SecureTransport false triggers a Deny on all actions.

Why this answer

Option A is correct because the policy denies all actions if the request is not made over HTTPS (SecureTransport false). Option B is wrong because it denies non-HTTPS, not allows. Option C is wrong because it applies to all services.

Option D is wrong because it does not require MFA; it requires HTTPS.

359
MCQhard

A network engineer is designing a VPC with private subnets for workloads that must not have direct internet access. However, the workloads need to download patches from a specific third-party vendor's IP range. Which solution minimizes the attack surface?

A.Create a managed prefix list for the vendor's IPs and add a route in the private subnet route table to a NAT gateway, with the prefix list as destination
B.Configure a VPC endpoint for the vendor's service
C.Deploy a proxy server in a public subnet and configure the workloads to use it for all internet traffic
D.Establish a VPN connection to the vendor's network and route all traffic to the vendor through the VPN
AnswerA

Restricts egress to only vendor IPs.

Why this answer

Option C is correct because a managed prefix list in the route table for the private subnets allows traffic only to the vendor's IPs via a NAT gateway. Option A is wrong because a VPN to the vendor introduces unnecessary complexity and trust. Option B is wrong because a proxy server sends all traffic, not just to vendor.

Option D is wrong because a VPC endpoint is for AWS services only.

360
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all Amazon S3 buckets in the organization are encrypted at rest. Which policy should be attached to the root organizational unit to enforce this requirement?

A.Configure AWS Config rules to mark non-compliant buckets and trigger a Lambda function to add encryption.
B.Create an IAM role in each account that requires encryption for any S3 operation.
C.Use an S3 bucket policy on every existing and future bucket to deny unencrypted uploads.
D.Attach a service control policy (SCP) that denies s3:CreateBucket unless the bucket has default encryption enabled.
AnswerD

SCPs can enforce encryption at the organizational level.

Why this answer

A service control policy (SCP) attached to the root OU can deny creation of S3 buckets without default encryption, enforcing encryption across all accounts. Option A is correct because SCPs allow you to centrally control permissions. Option B is wrong because IAM roles are per-account.

Option C is wrong because bucket policies are per-bucket, not organization-wide. Option D is wrong because AWS Config rules can detect but not enforce in real time.

361
MCQmedium

An application running on EC2 instances needs to access a DynamoDB table. The security team requires that traffic does not traverse the internet. Which solution should be used?

A.Create a VPC Gateway Endpoint for DynamoDB.
B.Create a VPC Interface Endpoint for DynamoDB.
C.Attach an Internet Gateway to the VPC.
D.Deploy a NAT gateway and update the route table.
AnswerA

Provides private connectivity to DynamoDB.

Why this answer

Option B is correct because a VPC Gateway Endpoint for DynamoDB provides private access. Option A is wrong because a NAT gateway routes to the internet. Option C is wrong because an Internet Gateway provides internet access.

Option D is wrong because a VPC Interface Endpoint is for services like API Gateway, but DynamoDB uses Gateway Endpoint.

362
MCQhard

A company is deploying an AWS Network Firewall in a centralized inspection VPC and needs to send traffic from multiple VPCs through it. The VPCs are attached to a Transit Gateway. What configuration is required to route traffic to the firewall?

A.Create a Transit Gateway route table with a route to the Network Firewall endpoint and attach the VPCs to it.
B.Create a VPC Gateway Endpoint for the firewall service.
C.Add a route in each VPC's subnet routing table pointing to the firewall's elastic network interface.
D.Configure a NAT gateway in each VPC and route traffic through it.
AnswerA

This ensures traffic is routed through the firewall.

Why this answer

Option D is correct because the Transit Gateway route table must have a route pointing to the firewall's endpoint, and the firewall must be configured with the appropriate rules. Option A is wrong because NAT gateways do not route traffic to firewalls. Option B is wrong because VPC endpoints are for accessing AWS services.

Option C is wrong because subnet routes cannot point to the firewall directly without an endpoint.

363
MCQeasy

A network engineer runs the above command and sees that VPC Flow Logs are configured for a VPC. The engineer wants to analyze rejected traffic to troubleshoot a connectivity issue. Which field in the flow log records should they examine?

A.protocol
B.action
C.srcaddr
D.dstport
AnswerB

Shows whether traffic was accepted or rejected.

Why this answer

Option B is correct because the 'action' field in VPC Flow Logs indicates ACCEPT or REJECT. Option A is wrong because 'srcaddr' is source IP. Option C is wrong because 'dstport' is destination port.

Option D is wrong because 'protocol' is the protocol number.

364
MCQmedium

A company has an AWS Lambda function that needs to access an S3 bucket in the same AWS account. The Lambda function is configured to use the VPC default execution role. The S3 bucket policy denies all principals except those explicitly allowed. The Lambda function cannot access the bucket. What should be done to resolve this issue?

A.Add an IAM policy to the Lambda execution role that allows s3:GetObject on the bucket
B.Remove the bucket policy that denies all principals
C.Attach an internet gateway to the VPC and a public IP to the Lambda function
D.Create a VPC endpoint for S3 and attach it to the Lambda function's VPC
AnswerA

The Lambda execution role must have the necessary S3 permissions to access the bucket.

Why this answer

Option A is correct because the Lambda function's execution role needs an IAM policy allowing s3:GetObject (or appropriate actions) on the bucket. The bucket policy must also grant access to the Lambda execution role. Option B is wrong because VPC endpoints do not grant access; IAM permissions are still needed.

Option C is wrong because a VPC endpoint is not required for Lambda to access S3 in the same account if the bucket policy allows the role. Option D is wrong because the Lambda function does not need an internet gateway if it uses a VPC endpoint or if the bucket policy allows the role.

365
Multi-Selecteasy

A security engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. The engineer wants to capture full packets and store them for later analysis. Which TWO AWS services can be used together to accomplish this? (Choose TWO.)

Select 2 answers
A.Amazon S3
B.AWS Config
C.VPC Flow Logs
D.Traffic Mirroring
E.Amazon CloudWatch Logs
AnswersA, D

Can store the mirrored traffic for analysis.

Why this answer

Options A and C are correct. Traffic Mirroring (A) captures full packets and sends them to a target. Amazon S3 (C) can store the captured traffic.

Option B is wrong because VPC Flow Logs capture metadata only. Option D is wrong because CloudWatch Logs is not designed for packet storage. Option E is wrong because AWS Config does not capture traffic.

366
MCQmedium

A company wants to restrict access to its S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition should be used?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.s3:x-amz-server-side-encryption
C.kms:ViaService
D.kms:EncryptionContext
AnswerA

This condition key allows you to enforce that a specific KMS key is used for encryption.

Why this answer

Option C is correct because the s3:x-amz-server-side-encryption-aws-kms-key-id condition key ensures objects are encrypted with a specific KMS key, enforcing SSE-KMS. Option A is wrong because s3:x-amz-server-side-encryption only checks for encryption, not the specific key. Option B is wrong because kms:EncryptionContext is not an S3 condition key.

Option D is wrong because kms:ViaService is used for KMS policy, not S3 bucket policy.

367
MCQhard

A company is using AWS Direct Connect to connect their on-premises network to AWS. They have a virtual private gateway (VGW) attached to their VPC and a Direct Connect virtual interface (VIF) configured. They want to use AWS Site-to-Site VPN as a backup connection. Which configuration ensures that traffic automatically uses the VPN if the Direct Connect connection fails?

A.Configure the VPN connection but attach it to a separate VGW, and use a transit gateway with failover routing.
B.Configure the VPN connection and propagate routes from both the Direct Connect and VPN. Create a static route in the route table for the on-premises CIDR pointing to the VPN.
C.Configure the VPN connection but do not propagate routes; use static routes in the route table.
D.Configure the VPN connection and propagate routes from both the Direct Connect and VPN. Create a static route in the route table for the on-premises CIDR pointing to the Direct Connect VIF with a higher metric.
AnswerD

The static route with a higher metric serves as a backup; if Direct Connect fails, the propagated VPN route takes over.

Why this answer

Option D is correct because propagating BGP routes from both the Direct Connect VIF and the VPN, and creating a static route with a higher metric (less preferred) for the Direct Connect route, allows automatic failover. Option A is wrong because the VPN must be configured to handle failover. Option B is wrong because the VPN alone does not provide automatic failover without route propagation.

Option C is wrong because the VPN must be attached to the VGW.

368
MCQmedium

A company uses AWS Organizations with SCPs to restrict access. The security team needs to prevent users in the 'Developers' OU from disabling AWS Config or modifying its rules. Which SCP effect should be used?

A.Block
B.Deny
C.Allow
D.NotAction
AnswerB

Deny explicitly prohibits specified actions.

Why this answer

Option B is correct because a Deny effect explicitly blocks the action, overriding any Allow. Option A is wrong because Allow would not prevent the action. Option C is wrong because SCPs don't have a Block effect.

Option D is wrong because NotAction is a condition element, not an effect.

369
MCQhard

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network team notices that the BGP session between the on-premises router and the AWS virtual private gateway (VGW) is flapping. The on-premises router is configured to advertise a specific prefix. Which configuration change is MOST likely to stabilize the BGP session?

A.Add ASN prepending to the advertised prefix.
B.Adjust BGP timers (keepalive and hold time) to match between the on-premises router and the VGW.
C.Enable BGP MD5 authentication on both sides.
D.Apply a route-map on the VGW to filter the prefix.
AnswerB

Mismatched timers can cause flapping.

Why this answer

Option C is correct because BGP timers mismatch can cause flapping; adjusting them to match stabilizes the session. Option A is wrong because MD5 authentication is for security, not flapping. Option B is wrong because ASN prepending affects route selection, not stability.

Option D is wrong because VGW does not support route-maps.

370
MCQeasy

A company hosts a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team wants to block a list of known malicious IP addresses from accessing the application. They have already created an AWS WAF web ACL and associated it with the ALB. What is the MOST efficient way to block the IP addresses?

A.Place a CloudFront distribution in front of the ALB and use CloudFront's geo-restriction feature.
B.Add an AWS WAF rule to the web ACL that uses the 'IP reputation lists' managed rule group to block malicious IPs.
C.Configure a network ACL on the ALB's subnet to deny inbound traffic from each malicious IP.
D.Add each IP address as an inbound deny rule in the security group of the ALB.
AnswerB

Correct: Managed rule group automatically blocks known malicious IPs.

Why this answer

Option B is correct because AWS WAF has a managed rule group 'IP reputation lists' that automatically blocks known malicious IPs. Option A is wrong because updating security groups is not scalable for a large list. Option C is wrong because Network ACLs are stateless and not designed for application-layer blocking.

Option D is wrong because CloudFront is an additional layer not mentioned and would add complexity.

371
MCQhard

A company has a VPC with an internet-facing Application Load Balancer (ALB) that routes traffic to EC2 instances in private subnets. The security team wants to block traffic from specific geographic regions. Which AWS service should they use?

A.AWS WAF
B.AWS Shield Advanced
C.Network ACLs
D.Security Groups
AnswerA

WAF can create geo-match conditions to block traffic from specific countries.

Why this answer

Option A is correct because AWS WAF can be associated with an ALB to filter traffic based on geographic location. Option B is wrong because Security Groups do not support geographic blocking. Option C is wrong because Network ACLs do not support geographic blocking.

Option D is wrong because AWS Shield Advanced provides DDoS protection, not geographic filtering.

372
Multi-Selecthard

Which THREE of the following are best practices for securing a VPC? (Choose three.)

Select 3 answers
A.Enable AWS Shield Advanced for DDoS protection.
B.Use security groups to control inbound and outbound traffic at the instance level.
C.Use network ACLs as a stateless layer of defense for subnets.
D.Allow all outbound traffic from the VPC to the internet.
E.Assign a default security group that allows all traffic.
AnswersA, B, C

AWS Shield Advanced provides enhanced DDoS protection for VPC resources.

Why this answer

Options A, B, and D are correct. Using security groups as a virtual firewall is a best practice. Using network ACLs as a second layer of defense is also recommended.

AWS Shield Advanced is a managed DDoS protection service that should be enabled for VPCs with public endpoints. Option C is incorrect because allowing all outbound traffic is not a security best practice; it should be restricted. Option E is incorrect because default security group should not allow all traffic; it should be restrictive.

373
MCQeasy

A company is using AWS Secrets Manager to store database credentials. They want to ensure that the credentials are automatically rotated every 30 days. Which configuration is required?

A.Enable automatic rotation in the secret configuration and provide a Lambda rotation function.
B.Store the secret in AWS Systems Manager Parameter Store and configure a rotation schedule.
C.Store the secret in AWS CloudHSM and use a scheduled Lambda to rotate.
D.Use IAM Access Analyzer to rotate the credentials periodically.
AnswerA

Secrets Manager supports automatic rotation using Lambda functions.

Why this answer

Option A is correct because Secrets Manager can automatically rotate secrets with a Lambda function. Option B is wrong because Systems Manager Parameter Store does not have built-in rotation. Option C is wrong because IAM Access Analyzer does not rotate credentials.

Option D is wrong because CloudHSM is for hardware security modules, not automated rotation.

374
MCQmedium

A company has a VPC with a public subnet and a private subnet. They have a web server in the public subnet and a database in the private subnet. The web server needs to communicate with the database on port 3306. Security groups are configured as follows: Web server SG allows inbound HTTP/HTTPS from 0.0.0.0/0 and outbound to database SG on port 3306. Database SG allows inbound from web server SG on port 3306. However, the web server cannot connect. Network ACLs are default. What is the issue?

A.The network ACL on the private subnet denies inbound traffic on port 3306.
B.Security groups are stateful, so no outbound rule is needed; the issue is something else.
C.The web server security group does not allow outbound traffic to the database.
D.The database security group inbound rule is not correctly referencing the web server security group ID.
AnswerD

Correct: The rule must reference the security group ID, not the instance ID.

Why this answer

Option C is correct because the web server's security group outbound rule explicitly allows traffic to the database SG, which is correct. The issue is likely that the database SG inbound rule is not referencing the correct web server SG, or the web server SG is not attached to the web server. Option A is wrong because NACLs are default allow.

Option B is wrong because the web server SG outbound is correctly configured. Option D is wrong because stateful nature means inbound allows outbound responses, but the issue is the inbound rule on the database SG.

375
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to minimize data transfer costs and avoid exposing the private instance to inbound traffic from the internet. Which solution meets these requirements?

A.Create a VPC Gateway Endpoint for Amazon S3 and ensure the patches are hosted in S3. Route private subnet traffic to the endpoint.
B.Attach an internet gateway to the VPC and route the private subnet's default route to a NAT gateway in the public subnet.
C.Launch a NAT instance in the public subnet and route the private subnet's default route to it.
D.Attach an internet gateway to the VPC and assign a public IP to the EC2 instance.
AnswerA

No NAT cost, no inbound exposure, and uses AWS private network.

Why this answer

Option D is correct because a VPC Gateway Endpoint for S3 allows private access to S3 for patches without NAT costs. Option A is wrong because a NAT gateway incurs costs and allows inbound traffic. Option B is wrong because a NAT instance similarly costs and allows inbound.

Option C is wrong because an internet gateway would expose the instance.

← PreviousPage 5 of 6 · 421 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Security Governance questions.