You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB),
web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses.
Which two options meet this security requirement? Choose 2 answers
A.
Configure web server VPC security groups to allow traffic from your customers’ IPs
B.
Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
C.
Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
D.
Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
I believe the answer should be B, C per the article below:
http://jayendrapatil.com/aws-virtual-private-cloud-vpc/#comment-34
0
0
I think correct answer is A & D
Since security groups can only allow the traffic and cann’t deny the traffic. So C is wrong
Since X-forwarded-for is used for proxy redirection at webserver level. Here we need to deny all the IP to access our B2B application except specified IPs. So B is wrong.
0
0
I agree with you vamshi. ELB is behind the VPC so, VPC has to restrict the access before it reaches ELB.
0
0
should be B & C
0
0
It should be A,B.
In C and D, it is not necessary to “deny all outbound traffic”.
0
0
D is clearly wrong as NACLs are stateless. If you deny all outbound traffic, return traffic will not be permitted because NACLs don’t remember the state of the session.
C can be used quite effectively. Security groups are stateful, meaning that if there is a state created as a result of a permit statement such as an inbound web request, the returning traffic will be permitted back out regardless of the outbound security group rules. This increases the security to prevent an infected web server from making outbound connections. Security groups can deny traffic, and by default they are set to permit all outbound and deny all inbound traffic.
B is not best practice. Your network access control policies should be enforced at the network layer, not the application layer.
A is best practice, creating security groups per application and applying them as such.
Answer is A and C
0
0
Yes u r correct
0
0
Yes A and C make sense here.
0
0
C is incorrect. Based on the following rules of security group:
You can specify allow rules, but not deny rules.
By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.
Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
0
0
bc
0
0
ab is the correct answer
0
0
I like this question, answer is a & b
Here is the rationale for B
The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer. To see the IP address of the client, use the X-Forwarded-For request header. Elastic Load Balancing stores the IP address of the client in the X-Forwarded-For request header and passes the header to your server.
0
0
B C
0
0
A & B is the answer
c option- stated as deny ip addrs but in SG we cannot deny ip
d option- as nacl are stateless deny ip address would not request back the ip.
0
0
should be B C
Configure web server VPC security groups to allow traffic from your customers’ IPs (Web server is behind the ELB and customer IPs will never reach web servers)
Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header (get the customer IPs and create a custom filter to restrict access. Refer link)
Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic (ELB will see the customer IPs so can restrict access, deny all is basically have no rules in outbound traffic, implicit, and its stateful so would work)
Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic (NACL is stateless, deny all will not work)
1
0
A and B are the correct answers – 100%
You cannot add ‘deny’ rules in SGs (eliminates C) and you need to permit outbound traffic for the NACLs as NACls are stateless (eliminates D)
0
0
In fact, I take that back, you can technically deny traffic using SGs by not havig the rules there to permit the traffic, but overall, this question’s answers are horrily worded, horribly!!!
0
0