AWS Certified Security – Specialty — Question 380

A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors.

A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction. However, the vendors cannot connect to the application.

Which solution will provide the vendors access to the application?

Answer options

• A. Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.
• B. Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.
• C. Modify the inbound rules on the internet gateway to allow the required ports.
• D. Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.

Correct answer: B

Explanation

Network ACLs are stateless, meaning they do not automatically allow return traffic; therefore, outbound rules must be explicitly configured to permit return traffic to the clients' ephemeral ports. Security groups are stateful, so they do not require corresponding outbound rules for return traffic, making changes to them unnecessary. Internet gateways do not have configurable security rules, and setting the network ACL outbound rules to match the inbound rules would block the return traffic which uses ephemeral ports.