Q65 — AWS SCS-C02 Ch.1
Question 65 of 100 | ← Chapter 1
A public subnet contains two Amazon EC2 instances.The subnet has a custom network ACL. A security enginee is designing a solution to improve the subnet security. The solution must allow outbound traffic to an internet service that uses TLS through port 443.The solution also must deny inbound trafic that is destined for MySQL port 3306. Which network ACL rule set meets these requirements?
- A. Use inbound rule 100 to allowtraffic on TCP port 443.Use inbound rule 200 to deny trafic on TCP port 3306.Use outbound rule 100 to allow traffic on TCP port 443.
- B. Use inbound rule 100 to deny traffic on TCP port 3306.Use inbound rule 200 to allow traffic on TCP port range 1024-65535.Use outbound rule 100 to allow traffic on TCP port 443. ✓
- C. Use inbound ule 100 to allow trafic on TCP port range 1024-65535.Use inbound rule 200 to deny trafic on TCP port 3306.Use outbound rule 100to allow traffic on TCP port 443.
- D. Use inbound rule 100 to deny traffic on TCP port 3306.Use inbound rule 200 to allow traffic on TCP port 443.Use outbound rule 100 to allow traffic on TCP port 443.
Correct Answer: B. Use inbound rule 100 to deny traffic on TCP port 3306.Use inbound rule 200 to allow traffic on TCP port range 1024-65535.Use outbound rule 100 to allow traffic on TCP port 443.
Explanation
网络ACL规则按优先级顺序执行,数字越小优先级越高。选项B中,入站规则100优先拒绝TCP 3306端口流量,有效阻断MySQL访问;入站规则200允许1024-65535端口范围,保障其他合法入站连接;出站规则100明确放行TCP 443端口,确保TLS加密通信的出站流量。规则顺序与端口配置精准匹配题目要求的安全策略。