AWS Certified Security – Specialty — Question 85

While securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host
(IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following:
2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What action should be performed to allow the ping to work?

Answer options

• A. In the security group of the EC2 instance, allow inbound ICMP traffic.
• B. In the security group of the EC2 instance, allow outbound ICMP traffic.
• C. In the VPC's NACL, allow inbound ICMP traffic.
• D. In the VPC's NACL, allow outbound ICMP traffic.

Correct answer: D

Explanation

The correct answer is D because the flow log indicates that the return traffic from the EC2 instance to the on-premises host is being rejected. Allowing outbound ICMP traffic in the VPC's NACL will enable the ping response. Options A and B relate to security group configurations, which do not impact the outbound rules of the NACL. Option C would only address inbound traffic but wouldn't resolve the outbound rejection.