AWS Certified SysOps Administrator – Associate — Question 195

A SysOps administrator is creating a simple, public-facing website running on Amazon EC2. The SysOps administrator created the EC2 instance in an existing public subnet and assigned an Elastic IP address to the instance. Next, the SysOps administrator created and applied a new security group to the instance to allow incoming HTTP traffic from 0.0.0.0/0. Finally, the SysOps administrator created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet.

What is the cause of this issue?

Answer options

• A. The SysOps administrator did not create an outbound rule that allows ephemeral port return traffic in the new network ACL.
• B. The SysOps administrator did not create an outbound rule in the security group that allows HTTP traffic from port 80.
• C. The Elastic IP address assigned to the EC2 instance has changed.
• D. There is an additional network ACL associated with the subnet that includes a rule that denies inbound HTTP traffic from port 80.

Correct answer: A

Explanation

The correct answer is A because the network ACL needs to allow return traffic for the established connections, which typically uses ephemeral ports. If this outbound rule is missing, the instance won't respond to incoming requests. Options B, C, and D are incorrect as they pertain to issues that do not directly prevent HTTP traffic from reaching the website.