ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your organization is migrating a two-tier web application to AWS. Corporate policy requires a demilitarized zone (DMZ) that exposes only the web tier to the Internet while preventing any direct inbound connectivity to the application and database tiers. Which Amazon VPC design best meets this requirement following AWS security best practices?
Deploy the web, application, and database instances together in a single public subnet protected solely by security groups that allow TCP 80 and 443 from 0.0.0.0/0.
Build two VPCs, one for the web tier and one for the internal tiers, peer them, and attach an Internet Gateway to both so each tier can receive client requests directly.
Place all tiers in a single private subnet and publish the web application to the Internet by assigning an Elastic IP address to a NAT gateway in that subnet.
Create separate public and private subnets within one VPC; attach an Internet Gateway to the public subnets for the web tier, place application and database instances in private subnets reachable only from the web tier, and use a NAT gateway for their outbound traffic.
A DMZ separates publicly reachable resources from internal systems. Placing Elastic Load Balancers and web servers in public subnets that have a route to an Internet Gateway lets customers reach the site. Hosting the application and database tiers in private subnets with no inbound Internet route, and allowing traffic only from the web-tier security group, prevents external hosts from connecting to them directly. A NAT gateway in the public subnet gives the private instances controlled outbound Internet access for patches and updates. The other designs either place sensitive resources in public subnets, give them direct Internet routes, or fail to provide any publicly reachable endpoint, so they do not satisfy the DMZ requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a DMZ in networking?
Open an interactive chat with Bash
How does a NAT gateway differ from an Internet Gateway in AWS?
Open an interactive chat with Bash
What is the purpose of security groups in AWS VPCs?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .