AWS Certified Security – Specialty — Question 67

A Software Engineer is trying to figure out why network connectivity to an Amazon EC2 instance does not appear to be working correctly. Its security group allows inbound HTTP traffic from 0.0.0.0/0, and the outbound rules have not been modified from the default. A custom network ACL associated with its subnet allows inbound HTTP traffic from 0.0.0.0/0 and has no outbound rules.
What would resolve the connectivity issue?

Answer options

• A. The outbound rules on the security group do not allow the response to be sent to the client on the ephemeral port range.
• B. The outbound rules on the security group do not allow the response to be sent to the client on the HTTP port.
• C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.
• D. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the HTTP port.

Correct answer: C

Explanation

The correct answer is C because the lack of outbound rules in the network ACL prevents any responses from being sent back to the client on the ephemeral port range, which is necessary for establishing a complete communication. Options A and B are incorrect as they pertain to the security group's outbound rules, which do not directly affect the network ACL's outbound settings. Option D is also incorrect since it suggests allowing HTTP traffic instead of the necessary ephemeral ports required for TCP connections.