AWS Certified SysOps Administrator – Associate (legacy) — Question 689

An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security, the Information Security team has deployed an
Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of the EC2 instances.
After the change, traffic is not reaching the instances, and an error is being returned from the ALB.
What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (Choose two.)

Answer options

• A. Add the EC2 instances to the ALB target group, configure the health check, and ensure that the instances report healthy.
• B. Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy, and remove the public IPs from the instances.
• C. Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate, and remove the public IPs from the instances.
• D. Change the security group for the EC2 instances to allow access from only the ALB security group, and remove the public IPs from the instances.
• E. Change the security group to allow access from 0.0.0.0/0, which permits access from the ALB.

Correct answer: B, D

Explanation

To secure the application and ensure proper traffic flow, the instances should be managed via an Auto Scaling group with health checks enabled, and their public IP addresses should be removed to prevent direct internet exposure. Furthermore, updating the EC2 instances' security group to only allow traffic originating from the ALB's security group ensures that all incoming traffic is properly filtered through the load balancer.