A company operates a web application that runs on Amazon EC2 instances. The application l…

Question

A company operates a web application that runs on Amazon EC2 instances. The application listens on port 80 and port 443. The company uses an Application Load Balancer (ALB) with AWS WAF to terminate SSL and to forward traffic to the application instances only on port 80. The ALB is in public subnets that are associated with a network ACL that is named NACL. The application instances are in dedicated private subnets that are associated with a network ACL that is named NACL2. An Amazon RDS for PostgreSQL DB instance that uses port 5432 is in a dedicated private subnet that is associated with a network ACL that is named NACL3. All the network ACLs currently allow all inbound and outbound traffic. Which set of network ACL changes will increase the security of the application while ensuring functionality?

Accepted Answer

Correct answer: B. B. Make the following changes to NACL3:
Add a rule that allows inbound traffic on port 5432 from the CIDR blocks of the application instance subnets.
Add a rule that allows outbound traffic on ports 1024-65536 to the application instance subnets.
Remove the default rules that allow all inbound and outbound traffic. — Option B is correct because Network ACLs are stateless and require explicit rules for both inbound and outbound traffic using CIDR blocks (referencing other NACLs as in Option A is not supported). Since the application subnets initiate connections to the database on port 5432, the database NACL (NACL3) must allow inbound traffic on 5432 and outbound return traffic on ephemeral ports (1024-65536) back to the application subnets' CIDR blocks. Options C and D are incorrect because they fail to properly configure the necessary ephemeral port ranges and would break the application tier's connectivity.

AWS Certified Security – Specialty — Question 394

Answer options

Correct answer: B

Explanation