ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company is deploying a 3-tier web app in a single VPC. The security policy is:
Public-subnet web servers must accept only HTTPS (TCP 443) from the internet.
The web tier may reach the application tier only on TCP 8080.
Exploitation attempts against the web servers must be detected within minutes without installing agents on each instance.
Which approach satisfies all requirements with minimal operational effort?
Use the same security group for both tiers that allows inbound TCP 443 and 8080; enable Amazon Macie to detect malicious activity against the web servers.
Deploy a third-party next-generation firewall appliance from AWS Marketplace in a dedicated subnet to filter traffic; forward its logs to CloudWatch for alerting.
Create separate security groups for web and application instances; allow inbound 0.0.0.0/0 TCP 443 to the web-tier group and only TCP 8080 from the web-tier group to the application-tier group. Enable Amazon GuardDuty in the account for near-real-time threat detection.
Attach stateless network ACLs to the public and private subnets that allow TCP 443 and TCP 8080 respectively, and configure AWS Config rules to alert on unauthorized traffic.
Separate, stateful security groups let you enforce least-privilege rules with low overhead: the web-tier group allows inbound TCP 443 from anywhere and outbound TCP 8080 only to the application-tier group; the application-tier group allows inbound TCP 8080 solely from the web-tier group. Amazon GuardDuty continuously analyzes VPC Flow Logs, DNS logs, and CloudTrail events to spot reconnaissance, malware, or exploitation attempts in near real time without host agents. Network ACLs are stateless and cannot reference security groups, AWS Config and Macie are not intrusion-detection tools, and third-party firewalls add extra deployment and management effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon GuardDuty used for in this solution?
Open an interactive chat with Bash
Why are security groups used instead of Network ACLs in this solution?
Open an interactive chat with Bash
What is the role of a VPC in deploying the 3-tier web application?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Security Concepts and Practices
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .