AWS Certified Solutions Architect – Professional — Question 371

A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CloudHSM is the best service for this.
However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open.
Which of the following is correct in regards to those security groups?

Answer options

• A. A security group that has no ports open to your network.
• B. A security group that has only port 3389 (for RDP) open to your network.
• C. A security group that has only port 22 (for SSH) open to your network.
• D. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.

Correct answer: D

Explanation

To successfully configure and connect to AWS CloudHSM, the client instances must be reachable from your network. This requires a security group that permits inbound traffic on either port 22 (for SSH on Linux clients) or port 3389 (for RDP on Windows clients). Restricting all ports or limiting to only one OS-specific port by default would prevent administrators from managing the client instances associated with the HSM.