A company has a web server running on an Amazon EC2 instance in a public subnet with an Elastic IP address. The default security group is assigned to the EC2 instance. The default network ACL has been modified to block all traffic. A solutions architect needs to make the web server accessible from everywhere on port 443.
Which combination of steps will accomplish this task? (Choose two.)
A. Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0.
B. Create a security group with a rule to allow TCP port 443 to destination 0.0.0.0/0.
C. Update the network ACL to allow TCP port 443 from source 0.0.0.0/0.
D. Update the network ACL to allow inbound/outbound TCP port 443 from source 0.0.0.0/0 and to destination 0.0.0.0/0.
E. Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0/0.0.0/0.
How To Pass SAA-C02 Exam?Amazon SAA-C02 PDF dumps.High quality SAA-C02 pdf and software. VALID exam to help you pass. |
 |
Answer is A & E.
in bidirectional communication, the server inthis case will be reached on port 80, but the communication will be initiated from the client on an ephemeral port, the server will then need to respond back to the epheral port, but if the ephemeral ports are blocked due to “all ports blocked”…and we know NACLs are stateless, the communication will be broken.
Therefore A & E are correct.
I’ll go with A & D, even though E says allow outbound to any ports, still that’s a security risk on its own
A and C are correct.
C: because Default NACL allows all traffic IN/OUT so also ephemeral ports (IN/OUT)
A and C