AWS Certified Security – Specialty (SCS-C02) — Question 239

A security engineer has designed a VPC to segment private traffic from public traffic. The VPC includes two Availability Zones. The security engineer has provisioned each Availability Zone with one private subnet and one public subnet. The security engineer has created three route tables for use with the environment. One route table is for the public subnets, and two route tables are for the private subnets (one route table for the private subnet in each Availability Zone).

The security engineer discovers that all four subnets are attempting to route traffic out through the internet gateway that is attached to the VPC.

Which combination of steps should the security engineer take to remediate this scenario? (Choose two.)

Answer options

• A. Verify that a NAT gateway has been provisioned in the public subnet in each Availability Zone.
• B. Verify that a NAT gateway has been provisioned in the private subnet in each Availability Zone.
• C. Modify the route tables that are associated with each of the public subnets. Create a new route for local destinations to the VPC CIDR range.
• D. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the NAT gateway in the public subnet of the same Availability Zone as the target of the route.
• E. Modify the route tables that are associated with each of the private subnets. Create a new route for the destination 0.0.0.0/0. Specify the internet gateway in the public subnet of the same Availability Zone as the target of the route.

Correct answer: A, D

Explanation

The correct steps involve verifying that a NAT gateway is provisioned in the public subnet (A) and modifying the route tables for the private subnets to route traffic through the NAT gateway (D). The other options are incorrect because private subnets should not use an internet gateway (E) and NAT gateways should be in public subnets, not private subnets (B).