A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default Network ACL settings.
The IT Security department has a suspicion that a DoS attack is coming from a suspecting IP.
How can you protect the subnets from this attack?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Options A and B are incorrect because the Security Group works on the Instance level and not the Subnet level.
You cannot configure a Security Group to deny access.
Option C is CORRECT because restricting the inbound NACL is the solution to deny access for the suspecting IP address.
A network access control list (Network ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Option D is incorrect because restricting inbound access needs to restrict the port & IP on the inbound NACL rule.
The outbound rule is basically for accessing anything from within the subnet to the outside of the subnet (e.g., Internet).
For more information on Network Access Control Lists, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.htmlThe most appropriate option to protect the subnet from a DoS attack originating from a suspecting IP address is to change the Inbound Network ACL to deny access from the suspecting IP address.
Explanation:
Amazon RDS is a managed database service that simplifies the setup, operation, and scaling of a relational database in the cloud. RDS supports various database engines, including MySQL, Oracle, and Microsoft SQL Server. When creating an RDS instance, you can choose to deploy it in a Virtual Private Cloud (VPC), which provides isolated network resources in the cloud. By default, RDS instances are deployed in a private subnet that does not have public internet access.
A Network ACL (NACL) is a stateless firewall that controls inbound and outbound traffic at the subnet level. By default, a subnet in a VPC has a NACL that allows all inbound and outbound traffic. However, you can create custom NACL rules to allow or deny traffic based on IP addresses, protocols, and ports.
In this scenario, the company suspects that a DoS attack is coming from a particular IP address. To protect the RDS instance in the private subnet from this attack, we need to block traffic from that IP address. The most appropriate way to do this is to modify the Inbound NACL of the private subnet to deny traffic from the suspecting IP address.
Option A is incorrect because changing the Inbound Security Group would only affect traffic allowed by the security group associated with the RDS instance. Security groups operate at the instance level and are stateful, meaning that they automatically allow inbound traffic corresponding to outbound traffic.
Option B is incorrect because changing the Outbound Security Group would not block traffic from the suspecting IP address. Security groups only control inbound and outbound traffic based on port numbers and protocols, not IP addresses.
Option D is also incorrect because changing the Outbound NACL would not block traffic from the suspecting IP address. Outbound NACL rules only apply to traffic leaving the subnet, not traffic coming into the subnet.
Therefore, option C, changing the Inbound NACL to deny access from the suspecting IP, is the most appropriate way to protect the subnet from the suspected DoS attack.