Security Groups for EC2 Instances: False Statements

False Statements About Security Groups for EC2 Instances

Prev Question Next Question

Question

Which of the following is false with regards to Security Groups which can be defined for EC2 Instances.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

The AWS documentation mentions the following on Security groups.

1

You can specify allow rules, but not deny rules.

2

You can specify separate rules for inbound and outbound traffic.

3

When you create a security group, it has no inbound rules.

Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.

4

Security groups are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

For more information on Security Groups, please refer to below URL:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Security Groups in AWS are virtual firewalls that are used to control inbound and outbound traffic for EC2 instances. They are associated with instances and provide security at the protocol and port access level. Security Groups are a fundamental component of AWS security and can be used to control traffic at the instance level.

A. In Security Groups, you can define both allow and deny rules: This statement is true. You can define rules in security groups that allow traffic or block traffic. For example, you can allow traffic from a specific IP address or range of IP addresses or deny traffic from a particular port.

B. You can specify separate rules for inbound and outbound traffic: This statement is also true. You can define separate rules for inbound and outbound traffic. Inbound rules are used to control traffic coming to the instance, while outbound rules are used to control traffic leaving the instance.

C. When you create a security group, it has no inbound rules: This statement is false. When you create a security group, by default, it has an inbound rule that allows traffic from the same security group. This is known as a self-referencing rule. You can modify this rule or add new inbound rules to allow traffic from specific IP addresses or ranges of IP addresses.

D. Security groups are stateful in nature: This statement is true. Security Groups are stateful in nature. This means that when you allow traffic to a particular port in the inbound rules, the traffic is automatically allowed back out through the same port. This eliminates the need to create a separate outbound rule for the same traffic. The opposite is also true, if you block traffic to a port, all traffic to and from that port will be blocked, regardless of its direction.

In summary, the false statement is C - when you create a security group, it has no inbound rules.