ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company is migrating a three-tier web application to AWS. The security team mandates four separate network security zones: an Internet zone, a DMZ for public web endpoints, an intranet zone for application and database tiers, and an extranet that lets business partners reach specific APIs without exposing them publicly. Which AWS design best enforces these zones while limiting unnecessary exposure?
Expose web, application, and database tiers through AWS Global Accelerator; segregate partner traffic with IAM roles but keep all instances in private subnets.
Deploy all three tiers in one public subnet behind a Web Application Firewall and control access exclusively with security groups; allow partners to connect over the same public endpoint.
Host web and application servers together in a public subnet, the database in a private subnet, and provide partner access through the internet-facing load balancer using API keys.
Create a public subnet with an Internet Gateway for an internet-facing Application Load Balancer (DMZ); place web, application, and database instances in private subnets without an Internet Gateway; add a dedicated extranet subnet that terminates a Site-to-Site VPN and routes only to the application tier.
Placing the internet-facing Application Load Balancer in a public subnet that has a route to an Internet Gateway creates a DMZ accessible from the Internet but logically separate from internal resources. Locating the web, application, and database instances in private subnets without an Internet Gateway keeps them in an intranet zone; they can initiate outbound traffic through a NAT gateway if required. Partners connect over a dedicated Site-to-Site VPN that terminates in an isolated extranet subnet. That subnet's route tables and security groups are configured to allow traffic only to the application tier, preventing direct access to the DMZ or database. This clearly separates Internet, DMZ, intranet, and extranet zones. The other options either collapse multiple tiers into the same public subnet, expose private resources directly to the Internet, rely solely on security groups without subnet isolation, or make every tier reachable through a single public endpoint, violating the required zoning model.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a DMZ in network security?
Open an interactive chat with Bash
What is the role of a Site-to-Site VPN in the extranet zone?
Open an interactive chat with Bash
How do private subnets improve security for intranet zones?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .