AWS Certified Security – Specialty (SCS-C02) — Question 91

A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors.

A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound direction. However, the vendors cannot connect to the application.

Which solution will provide the vendors access to the application?

Answer options

• A. Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.
• B. Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.
• C. Modify the inbound rules on the internet gateway to allow the required ports.
• D. Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.

Correct answer: B

Explanation

The correct answer is B because allowing outbound traffic to ephemeral ports ensures that the responses to the vendors' requests can return properly. Options A and D do not address the outbound traffic issue, while option C incorrectly suggests modifying the internet gateway, which does not control traffic in the same way as network ACLs.