AWS Certified Security – Specialty (SCS-C02) — Question 304

A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server.

The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 instance.

Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Choose two.)

Answer options

• A. Allow port 22 from source 0.0.0.0/0.
• B. Allow port 443 from source 0.0 0 0/0.
• C. Allow port 22 from 192.168.100.0/24.
• D. Allow port 22 from 10.0.1.0/24.
• E. Allow port 443 from 10.0.1.0/24.

Correct answer: B, C

Explanation

To secure the EC2 instance, HTTPS traffic (port 443) must be accessible to the public internet (0.0.0.0/0) since it hosts a public website, making option B correct. For management, SSH traffic (port 22) should be restricted to the specific administrative subnet (192.168.100.0/24) rather than being open to the public internet or the local hosting subnet, making option C correct. Options A, D, and E are incorrect because they either expose administrative access to the entire internet or fail to allow the necessary public web traffic.