AWS Certified Cloud Practitioner: Restricting Communication with Security Groups

Securing Communication in AWS VPC with Security Groups

Question

An organization runs several EC2 instances inside a VPC using three subnets, one for Development, one for Test and one for Production.

The Security team has some concerns about the VPC configuration.

It requires to restrict the communication across the EC2 instances using Security Groups. Which of the following options is true for Security Groups?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: A.

Option A is CORRECT because the AWS documentation mentions it in the section called“Changing an Instance's Security Group” using the following sentence: “After you launch an instance into a VPC, you can change the security groups that are associated with the instance.

You can change the security groups for an instance when the instance is in the running or stopped state.”

Option B, C, D and E are INCORRECT as a consequence of A.Diagram: none.

References:

https://docs.aws.amazon.com/en_pv/vpc/latest/userguide/VPC_SecurityGroups.html

The correct answer is A. You can change a Security Group associated with an instance if the instance state is stopped or running.

A Security Group acts as a virtual firewall that controls the inbound and outbound traffic for one or more EC2 instances. By default, all inbound traffic is denied, and all outbound traffic is allowed.

In this scenario, the Security team wants to restrict the communication across the EC2 instances using Security Groups. This can be achieved by configuring the Security Group rules to allow or deny specific types of traffic between the instances.

To make changes to a Security Group, it is important to understand when it is possible to make changes to the group. The correct answer, A, states that changes can be made to a Security Group associated with an instance if the instance state is stopped or running.

When an EC2 instance is running, it is associated with one or more Security Groups. These Security Groups define the inbound and outbound traffic that is allowed to or from the instance. If a Security Group needs to be changed, the changes can be made to the Security Group rules, and those changes will be applied to the instances associated with the Security Group.

However, if an instance is in the process of starting up or shutting down, the Security Group rules cannot be changed. This is because the Security Group rules are applied to the network interfaces of the instances, and during the startup or shutdown process, the network interfaces are temporarily unavailable.

Option B is incorrect because it suggests that changes can only be made to a Security Group associated with an instance when the instance state is stopped, which is not true.

Option C is incorrect because it suggests that changes cannot be made to a Security Group that has instances associated with it, which is not true. Changes can be made to the Security Group rules even if there are instances associated with it.

Option D is incorrect because it suggests that only the Default Security Group can be changed, which is not true. All Security Groups can be changed.

Therefore, the correct answer is A. You can change a Security Group associated with an instance if the instance state is stopped or running.