ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company is migrating its internal payroll application to AWS. Compliance requires that EC2 application servers are never reachable from the public internet, yet they must download OS and antivirus updates from the internet. Users in the on-premises data center must initiate SSH sessions to the servers over an encrypted link. The design must be highly available and demand minimal operational management. Which solution best meets these requirements?
Place the application servers in a private subnet; attach an Internet Gateway; add outbound-only rules in the servers' security group; configure a Site-to-Site VPN for corporate access; do not deploy any NAT device.
Place the application servers in a private subnet that also hosts a single t3.micro NAT instance; create an AWS Client VPN endpoint for corporate users; route all internet and VPN traffic through the NAT instance.
Place the application servers in a public subnet with Elastic IP addresses; restrict inbound traffic to SSH only; provide corporate access through an AWS Client VPN endpoint; no NAT device is needed.
Place the application servers in a private subnet; create two public subnets each hosting an AWS NAT Gateway; add a default route from the private subnet to the NAT Gateways; attach a Virtual Private Gateway and establish a Site-to-Site VPN from the data center; no inbound rules from the internet are required.
Placing the application servers in a private subnet prevents any direct inbound traffic from the internet. Private instances cannot reach the internet unless a NAT device in a public subnet forwards their outbound traffic to an attached Internet Gateway; managed NAT Gateways are deployed one per Availability Zone and scale automatically, providing high availability with no maintenance overhead. A Virtual Private Gateway with an AWS Site-to-Site VPN supplies an encrypted tunnel that lets corporate users initiate SSH sessions without exposing the servers publicly. The other options fail to satisfy one or more requirements: no NAT means instances cannot reach the internet; putting servers in a public subnet violates the no-internet-reachability mandate; using a single NAT instance in the same private subnet is neither supported nor highly available and requires ongoing administrative effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AWS NAT Gateway?
Open an interactive chat with Bash
What is a Virtual Private Gateway in AWS?
Open an interactive chat with Bash
Why are private subnets preferred for sensitive workloads like payroll applications?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .