Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

Wrong answer in Exam Simulator Security Speciality

In the question:

You have configured a VPC with a CIDR range of 10.0.0.0/16. You created a public subnet with a CIDR range of 10.0.1.0/24 and a private subnet of 10.0.2.0/24. You launch two application servers in the public subnet and an RDS PostgreSQL database in the private subnet. You have configured two security groups named MyWebSG and MyDbSG. You have assigned the web servers to MyWebSG and associated the RDS instance to MyDbSG. Which of the following rules will you need to add to enable the web servers to communicate with the database on port 5432?

  • A [Exam marked as correct] In MyDbSG, allow inbound traffic with a source of MyWebSG on port 5432

  • B [What I believe to be correct] In MyDbSG, allow inbound traffic with a source of MyWebSG on port 5432. In MyWebSG, allow outbound traffic with a destination of MyDbSG on port 5432

Simulator EXPLANATION:

Allow inbound access to the database from the web servers associated with the MyWebSG security group. Security groups are stateful, if you have allowed the inbound traffic you do not need to create a rule to allow the outbound reply.

Despite the explanation is correct, the answer B is describing 2 different Rules which you have to apply to 2 different SGs. Therefore, IMHO the option A is the one correct.

Can someone double check it?

Cheers,

Carlos

Tom Kringstad

Hi Carlos, I believe you are correct. When Security Groups are created the default outbound rules are set to allow all traffic and if you haven’t changed the default then you would not require a specific rule to allow outbound traffic on port 5432 for the MyWebSG. Best practice would suggest removing the default outbound rule though and explicitly enabling only the ports and destinations required, in which case answer B above would be correct, adding the outbound rule to the MyWebSG and an inbound rule on MyDbSG for port 5432 with the respective targets.

1 Answers

Hi Carlos,

Taking a look at the Security Group default rules. In general you only need to specify Inbound traffic the outbound allows all posts to all destinations. Read the doco slowly to see if it proves you right or wrong.

google: AWS security group outbound default

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

.

I will copy the details to the list of questions needed in updating. I can check it in detail and make use it is up to date at the same time.

Rusty

Moderator & Coach

carlos55rdgs

Indeed, that’s right. I was not considering default rule which I should. Reading again, it makes perfect sense.

carlos55rdgs

I would add this detail to the explanation to avoid further misunderstanding. Thx

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization