AWS Certified SysOps Administrator – Associate (legacy) — Question 694

Your entire AWS infrastructure lives inside of one Amazon VPC. You have an Infrastructure monitoring application running on an Amazon instance in Availability
Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else? If so how?

Answer options

• A. No, two instances in two different AZ's can't talk directly to each other via ICMP ping as that protocol is not allowed across subnet (iebroadcast) boundaries
• B. Yes, both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP
• C. Yes, the security group for the monitoring instance needs to allow outbound ICMP and the application instance's security group needs to allow Inbound ICMP
• D. Yes, both the monitoring instance's security group and the application instance's security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol

Correct answer: C

Explanation

AWS Security Groups are stateful, meaning that return traffic is automatically allowed regardless of any rules. To enable the ping, you only need to allow outbound ICMP on the source (monitoring) instance's security group and inbound ICMP on the destination (application) instance's security group. Other options are incorrect because ICMP can traverse subnets in a VPC, instances do not need to share a security group, and stateful tracking removes the need to explicitly allow outbound return traffic.