AWS Certified Security – Specialty (SCS-C02) — Question 232

A security engineer has been asked to troubleshoot inbound connectivity to a web server. This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly.

The architecture includes network ACLs, security groups, and a virtual security appliance. In addition, the development team has implemented Application Load Balancers (ALBs) to distribute the load across all web servers. It is a requirement that traffic between the web servers and the internet flow through the virtual security appliance.

The security engineer has verified the following:

1. The rule set in the security groups is correct.
2. The rule set in the network ACLs is correct.
3. The rule set in the virtual appliance is correct.

Which of the following are other valid items to troubleshoot in this scenario? (Choose two.)

Answer options

• A. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to a NAT gateway.
• B. Verify which security group is applied to the particular web server’s elastic network interface (ENI).
• C. Verify that the 0.0.0.0/0 route in the route table for the web server subnet points to the virtual security appliance.
• D. Verify the registered targets in the ALB.
• E. Verify that the 0.0.0.0/0 route in the public subnet points to a NAT gateway.

Correct answer: C, D

Explanation

Option C is correct because the route table for the web server subnet must direct traffic to the virtual security appliance to ensure proper inbound connectivity. Option D is also correct as verifying the registered targets in the ALB is crucial to ascertain that the web server is included and properly configured to receive traffic. Options A, B, and E are less relevant, as they do not directly address the need for routing through the virtual security appliance or the ALB configuration.