AWS Certified SysOps Administrator – Associate — Question 345

A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.

The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.

Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Choose three.)

Answer options

• A. Ensure that the inbound rules of the instance’s security group allow traffic on ports 80 and 443.
• B. Ensure that the outbound rules of the instance’s security group allow traffic on ports 80 and 443.
• C. Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance's subnet.
• D. Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance’s subnet.
• E. Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.
• F. Ensure that AWS WAF is turned on for the instance and is blocking web traffic.

Correct answer: A, D, E

Explanation

To allow external clients to access the web server, the security group must explicitly allow inbound traffic on ports 80 and 443, and any OS-level firewalls on the EC2 instance must also permit this inbound traffic. Additionally, because Network ACLs are stateless, the subnet's outbound NACL rules must allow return traffic to the client's ephemeral ports (1024-65535). Security groups are stateful, so outbound rules do not need to be manually configured for the return traffic, and AWS WAF cannot be directly attached to an EC2 instance to block traffic in this manner.