AWS Certified Security – Specialty — Question 258

A company needs to use HTTPS when connecting to its web applications to meet compliance requirements. These web applications run in Amazon VPC on
Amazon EC2 instances behind an Application Load Balancer (ALB). A security engineer wants to ensure that the load balancer will only accept connections over port 443, even if the ALB is mistakenly configured with an HTTP listener.
Which configuration steps should the security engineer take to accomplish this task?

Answer options

• A. Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB's default security group.
• B. Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC's internet gateway.
• C. Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC's internet gateway.
• D. Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.

Correct answer: D

Explanation

The correct answer is D because creating a security group that only allows inbound connections on port 443 ensures that the ALB does not accept any HTTP traffic. Option A would block port 80 but still allow the ALB to potentially listen on that port. Option B addresses inbound connections but doesn't guarantee that the ALB will only allow HTTPS traffic. Option C focuses on outbound connections and does not restrict inbound access to the ALB.