Question 352 of 375 from exam CLF-C01: AWS Certified Cloud Practitioner

Question 352 of 375 from exam CLF-C01: AWS Certified Cloud Practitioner

Question

I have a web application with the following VPC configuration as shown below.

Subnet 1 (172.31.0.0/20) hosts a Web server(on a EC2 instance ) & Subnet 2(172.31.16.0/20) hosts a Database Server (on a EC2 instance)

Which of the statements mentioned below does NOT define good practice from a Security & Compliance perspective & which may be modified in the Diagram? Select TWO.

Main route table

Destination Target
vaa1o0n6 lees
(20000 ‘ore

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answers: D and E.

The figure shown above shows that both the Database Server & the Web Server have routes to the internet gateway using the Main Route table.

Database servers are usually hosted in a non-DMZ zone which offers more protection from outside attack.

Also, since web servers are front-ending the application requests, it should not be necessary to expose the backend database directly to the internet.

Option A is incorrect.

Since the Web Server front-ends application requests, it should have a route to the Internet Gateway for accessing it from the Internet.

Option B is incorrect.

A default subnet provides both a Public Ipv4 & a Private Ipv4 address.

The Web Server will require either a Public IP or Elastic IP to be accessible from the Internet.

Option C is incorrect.

A NAT gateway provides an Egress only access to the internet by allowing the DataBase server to connect to the internet to update software patches.

This is a good practice for disallowing direct Ingress access to the DataBase Server from the internet.

The diagram can be modified to reflect this change.

Option D is CORRECT.

Since the database does not require a Public IP, it is suitable to host the DB Server on a non-default subnet that does not allocate a Public IP by default.

Option E is CORRECT.

The database server should not have a route to the Internet Gateway.

Diagram:

References:

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html https://www.testpreptraining.com/tutorial/aws-cloud-practitioner/aws-cloud-security/
198.51
198.51
198.51

100.1 (Elastic IP) 10.0.0.5 |
cto @

ic IP) 10.007 NAT gateway
‘Web servers 198.51.100.4 (Elastic IP)
Public subnet
1000.08

10.0.0.016

Region

Interne}

Custom route table
Destination Target
10.0.0.0/16 local

0.0.0.0/0 iguid

© &

‘gateway
Main route table
100.0016 local
0.00.00 at-gateway-id