Question 546 of 690 from exam SAA-C03: AWS Certified Solutions Architect - Associate

Answer: A.

Security groups are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html#VPC_Security_

A network ACL contains a numbered list of rules that we evaluate in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.

Rules are evaluated starting with the lowest numbered rule.

As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that may contradict it.

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#ACLRules

For.

Option A, rule # 100 allows all traffic.

So this will allow SSH requests irrespective of other higher numbered rules.

Security group rule allows SSH traffic for IP Range 10.10.1.0/24

IP address 10.10.1.148 falls under this IP range, so it allows SSH requests.

Network ACL outbound rule # 100 allows ALL traffic.

So the request would succeed.

This option is correct.

For Option B, when an SSH request is made, rule # 300 is never evaluated because the request succeeds during rule # 100 evaluation.

However, Rule # 300 gets evaluated when a non-SSH request is made.

But, for this question, it is an incorrect answer.

For Option C, rule # 200 is never evaluated because the request succeeds during rule # 100 evaluation.

So this option is incorrect.

For option D, Security Groups are stateful.

So, for an SSH request inbound to EC2 instance, the security group outbound does not impact.

So this option is incorrect.