AWS Certified Security - Specialty Exam: Secure Security Group Configuration for HTTPS and SSH

Secure Security Group Configuration for AWS Certified Security - Specialty Exam: SCS-C01

Q: A company is hosting a website that must be accessible to users for HTTPS traffic.Also, port 22 should be open for administrative purposes.The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations is the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below.

Port 443 coming from 0.0.0.0/0Port 22 coming from 203.0.113.1/32

Prev Question Next Question

Question

A company is hosting a website that must be accessible to users for HTTPS traffic.

Also, port 22 should be open for administrative purposes.

The administrator's workstation has a static IP address of 203.0.113.1/32. Which of the following security group configurations is the MOST secure but still functional to support these requirements? Choose 2 answers from the options given below.

Answers

A. Port 443 coming from 0.0.0.0/0

B. Port 443 coming from 10.0.0.0/16

C. Port 22 coming from 0.0.0.0/0

D. Port 22 coming from 203.0.113.1/32

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: A and D.

The question asks for the following 2 requirements:

A website that must be accessible to users for HTTPS traffic (over the public Internet).

Port 22 should be open for administrative purposes for the administrator's workstation with a static IP address of 203.0.113.1/32.

Option A is CORRECT because HTTPS traffic (over the public Internet) is allowed.

This option meets the first requirement.

Option B is incorrect because by allowing so, it will only enable traffic from a particular CIDR block and not from the internet (0.0.0.0/0).

Option C is incorrect because allowing port 22 from the internet (0.0.0.0/0) is a security risk as it will allow anyone from the public internet to SSH (on port 22) into the Linux VM.

Option D is CORRECT because this allows SSH access (over port 22) for the administrators' workstation with the static IP address.

This option meets the second requirement.

For more information on AWS Security Groups, please visit the following URL:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

The most secure and functional security group configuration to support the given requirements would be to open only the necessary ports and restrict access to them.

Port 443 is required for HTTPS traffic, and it should be accessible from any IP address to allow users to connect to the website. However, port 22 should be restricted to only the administrative workstation IP address, as it is not required for the website's functionality and is commonly used for administrative purposes.

Therefore, the two correct answers are:

D. Port 22 coming from 203.0.113.1/32: This option restricts access to port 22 to only the specified IP address of the administrator's workstation, making it more secure.
A. Port 443 coming from 0.0.0.0/0: This option allows HTTPS traffic from any IP address, which is necessary for the website's functionality.

Options B and C are less secure because they either restrict access to the necessary port (B) or allow access to an administrative port from any IP address (C), which can increase the risk of unauthorized access.

In summary, the most secure and functional security group configuration to support the given requirements is to open port 443 to any IP address and restrict access to port 22 to only the administrator's workstation IP address.

Prev Question Next Question