A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener.
Which configuration steps should the security engineer take to accomplish this task?
A. Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB’s default security group.
B. Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC’s internet gateway.
C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC’s internet gateway.
D. Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.
D
一家公司需要使用 HTTPS 连接其 Web 应用程序以满足合规要求。这些 Web 应用程序在 Amazon VPC 中的 Amazon EC2实例上运行,并位于应用负载均衡器(ALB)后。安全工程师希望确保负载均衡器仅接受443端口的连接,即使 ALB 被错误配置了 HTTP 监听器。
如何通过配置阻止 ALB 接受80端口的连接,强制所有流量通过443端口(HTTPS)。
技巧:排除明显错误选项,在没有明显错误的选项中选择最合理的选项。
A. 不正确。创建一个安全组,规则为拒绝来自0.0.0.0/0的80端口入站连接。将此安全组附加到 ALB,智能确保 ALB 无法接收 HTTP 流量,。
B. 不正确。创建一个网络 ACL,规则为拒绝来自0.0.0.0/0的80端口入站连接。将此网络 ACL 与 VPC 的互联网网关关联。网络 ACL 需与子网关联,而非互联网网关。此外,网络 ACL 规则顺序可能导致意外拒绝其他流量。
C. 不正确。创建一个网络 ACL,规则为仅允许到 VPC IP 范围的443端口出站连接。将此网络 ACL 与 VPC 的互联网网关关联。网络 ACL 需与子网关联,而非互联网网关。
D. 正确。创建一个安全组,规则为仅允许来自0.0.0.0/0的443端口入站连接。确保此安全组是唯一与 ALB 关联的安全组。
安全组:作用于实例级别,可控制入站/出站流量,无法设置拒绝规则,默认拒绝所有流量。
网络 ACL:作用于子网级别,可控制入站/出站流量,可以设置接受规则,也可以接受拒绝规则,规则按编号顺序处理,默认允许所有流量。