AWS Certified Security – Specialty (SCS-C02) — Question 132

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.

Which of the following troubleshooting steps should be performed?

Answer options

• A. Check inbound and outbound security groups, looking for DENY rules
• B. Check inbound and outbound Network ACL rules, looking for DENY rules
• C. Review the rejected packet reason codes in the VPC Flow Logs
• D. Use AWS X-Ray to trace the end-to-end application flow

Correct answer: C

Explanation

The correct answer is C because VPC Flow Logs provide insight into the traffic and can show why packets were rejected, which is critical for troubleshooting connectivity issues. Options A and B are not relevant, as there are no DENY rules indicated in the scenario. Option D, while useful for application-level tracing, does not address the fundamental networking issue at hand.