Question 260 of 310 from exam SCS-C01: AWS Certified Security

Question 260 of 310 from exam SCS-C01: AWS Certified Security - Specialty

Prev Question Next Question

Question

There are several EC2 instances in a VPC subnet.

All instances use the same security group (sg-12345678)

The security group has the following rules: Inbound: Type Protocol Port Range Source All traffic All All sg-12345678 SSH TCP 22 172.31.1.6/32 Outbound: Type Protocol Port Range Destination All traffic All All sg-12345678 The subnet is associated with a network ACL that has the inbound/outbound rules as follows: Inbound: Rule Type Protocol Port Range Source Allow/Deny 100 SSH TCP 22 172.31.1.6/32 Allow * All traffic All All 0.0.0.0/0 Deny Outbound: Rule Type Protocol Port Range Destination Allow/Deny 100 Custom TCP TCP 1024-65535 172.31.1.6/32 Allow * All traffic All All 0.0.0.0/0 Deny With these configurations, which kinds of traffic are allowed for the instances in the subnet?

Answers

A. Only the remote host (172.31.1.6/32) can connect to the instances via RDP, and instances in the subnet cannot communicate with the outside or each other.

B. The remote host (172.31.1.6/32) has the SSH access to the instances and instances in the subnet can communicate with each other.

C. No remote host can SSH to the instances as the ACL outbound rule disallows it. Instances within the subnet can talk with each other.

D. Only the remote host (172.31.1.6/32) can connect to the instances via the SSH protocol, but instances in the subnet cannot communicate with each other.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

Security groups and ACLs are used together to control the traffic as layers of security to the VPC.

In the ACL, only SSH access from the host 172.31.1.6/32 is allowed, and other hosts are not allowed.

The security group allows SSH access from 172.31.1.6/32, and it also allows all traffic from the instances with the security group of sg-12345678.

Option A is incorrect: Because the inbound traffic must be the protocol of SSH instead of RDP.

And instances can communicate with each other.

Option B is CORRECT: Refer to the above explanations.

Option C is incorrect: Because the outbound rule (100) in ACL allows the traffic to 172.31.1.6/32

The port range 1024-65535 is an ephemeral port range.

Option D is incorrect: The inbound rule in the security group allows all traffic from sg-12345678 so that instances are allowed to communicate with each other.

Based on the given configurations, the instances in the subnet can communicate with each other, and only the remote host with IP address 172.31.1.6/32 can connect to the instances via SSH. Let's break it down:

Security Group Configuration:

The inbound rule for SSH allows traffic from the source security group sg-12345678, which means that instances in the same security group can connect to each other via SSH.
The outbound rule allows all traffic to any destination within the same security group sg-12345678.

Network ACL Configuration:

The inbound rule for SSH allows traffic from the IP address 172.31.1.6/32 and denies all other traffic from any source.
The outbound rule allows Custom TCP traffic on ports 1024-65535 to the IP address 172.31.1.6/32 and denies all other traffic to any destination.

Combining the security group and network ACL configurations, we can determine the allowed traffic for the instances in the subnet:

Instances in the same security group can communicate with each other via SSH.
Only the remote host with IP address 172.31.1.6/32 can connect to the instances via SSH.
All other traffic is denied by the network ACL.

Therefore, the correct answer is D: Only the remote host (172.31.1.6/32) can connect to the instances via the SSH protocol, but instances in the subnet cannot communicate with each other.

Prev Question Next Question