AWS Certified Security – Specialty — Question 122

Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic.
Which of the following troubleshooting steps should be performed?

Answer options

• A. Check inbound and outbound security groups, looking for DENY rules
• B. Check inbound and outbound Network ACL rules, looking for DENY rules
• C. Review the rejected packet reason codes in the VPC Flow Logs
• D. Use AWS X-Ray to trace the end-to-end application flow

Correct answer: B

Explanation

The correct answer is B because Network ACLs control traffic at the subnet level, and a DENY rule here could be blocking communication between the EC2 instances. The other options are less relevant, as security groups do not have DENY rules, VPC Flow Logs do not specifically indicate ACL issues, and AWS X-Ray is more suited for application-level tracing rather than network issues.