AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 49

A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.
The SQS queue is not receiving messages.
Which of the following are possible causes of this problem? (Choose two.)

Answer options

• A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.
• B. The security group is blocking traffic to the IP address range used by Amazon SQS
• C. There is no interface VPC endpoint configured for Amazon SQS
• D. The network ACL is blocking return traffic from Amazon SQS
• E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS

Correct answer: A, C

Explanation

Option A is correct because without an IAM role with the proper permissions, the EC2 instance cannot send messages to Amazon SQS. Option C is also correct as the absence of an interface VPC endpoint for Amazon SQS means that the EC2 instance cannot directly access the SQS service in a private subnet. The other options do not apply because the default security group and network ACL do not block the necessary traffic by default.