AWS Certified SysOps Administrator – Associate — Question 267

A user is connected to an Amazon EC2 instance in a private subnet. The user is unable to access the internet from the instance by using the following curl command: curl http:/www.example.com.

A SysOps administrator reviews the VPC configuration and learns the following information:

• The private subnet has a route to a NAT gateway for CIDR 0.0.0.0/0
• The outbound security group for the EC2 instance contains one rule: outbound for port 443 to CIDR 0.0.0.0/0
• The inbound security group for the EC2 instance allows ports 22 and 443 from the user's IP address.
• The inbound network ACL for the subnet allows port 22 and port range 1024-65535 from CIDR 0.0.0.0/0

Which action will allow the user to complete the curl request successfully?

Answer options

• A. Add an additional inbound network ACL rule for port 80 to CIDR 0.0.0.0/0.
• B. Add an additional inbound security group rule for port 80 to CIDR 0.0.0.0/0.
• C. Add an additional outbound security group rule for port 80 to CIDR 0.0.0.0/0.
• D. Add an additional outbound security group rule for port 80 to the user's IP address.

Correct answer: C

Explanation

The command curl http://www.example.com initiates an unencrypted HTTP request, which requires outbound communication over port 80. Since the instance's outbound security group is currently configured to only allow port 443 traffic, the request is blocked before leaving the instance. Adding an outbound security group rule for port 80 to 0.0.0.0/0 resolves this, and because security groups are stateful, the return traffic is automatically allowed.