Minimize Exposure of EC2 Instances

Answer - B and D.

Since the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on both the Network and Security Groups need to allow outbound traffic.

The Incoming traffic should be allowed on ephemeral ports for the Operating System on the Instance to allow a connection to be established on any desired or available port.

Option A is invalid because this rule alone is not enough.

You also need to ensure incoming traffic on ephemeral ports.

Option C is invalid because it needs to ensure incoming traffic on ephemeral ports and not only port 443.

Option E is invalid since you are allowing additional ports on Security groups that are not required.

For more information on VPC Security Groups, please visit the below URL:

To minimize the exposure of EC2 instances in a public subnet calling an external web service via HTTPS (port 443), the following two options are recommended:

Option A: A Network ACL with a rule that allows outbound traffic on port 443 Option D: A Security Group with a rule that allows outbound traffic on port 443

Explanation:

A Virtual Private Cloud (VPC) is a virtual network that provides a secure and isolated environment for running AWS resources. A VPC has subnets, each with its own Network Access Control List (ACL) and Security Group.

Network ACLs are stateless and operate at the subnet level. They control traffic coming in and out of the subnet based on the source and destination IP addresses, protocols, and ports. Security Groups, on the other hand, are stateful and operate at the instance level. They control traffic based on the security group rules, which are essentially allow rules.

Option A: A Network ACL with a rule that allows outbound traffic on port 443

This option allows outbound traffic on port 443, which is required for the EC2 instances to call the external web service. By default, all outbound traffic is allowed, but if there are any deny rules, they must be removed or modified to allow traffic on port 443. However, this option does not address inbound traffic, which means that any traffic from the external web service will be allowed into the subnet.

Option D: A Security Group with a rule that allows outbound traffic on port 443

This option allows outbound traffic on port 443 from the instances, which is required to call the external web service. By default, all outbound traffic is denied, so a security group rule must be created to allow traffic on port 443. However, this option does not address inbound traffic, which means that any traffic from the external web service will be allowed into the instance.

Therefore, to further minimize exposure, both options A and D should be implemented together.

Option B: A Network ACL with a rule that allows outbound traffic on port 443 and inbound traffic in ephemeral ports

This option allows inbound traffic in ephemeral ports, which are randomly assigned ports used by the instances to communicate with the external web service. However, this option is not necessary for HTTPS traffic, as HTTPS traffic only uses port 443. Additionally, inbound traffic should not be allowed unless there is a specific reason to do so.

Option C: A Network ACL with a rule that allows outbound traffic on port 443 and inbound traffic in port 443

This option allows inbound traffic on port 443, which is not necessary for outbound traffic to an external web service. Additionally, inbound traffic should not be allowed unless there is a specific reason to do so.

Option E: A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports

This option allows inbound traffic in ephemeral ports, which are randomly assigned ports used by the instances to communicate with the external web service. However, this option is not necessary for HTTPS traffic, as HTTPS traffic only uses port 443. Additionally, inbound traffic should not be allowed unless there is a specific reason to do so.