ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An Amazon EC2 instance running Amazon Linux 2 hosts an internal inventory application that listens on TCP 8443 and is administered over SSH (TCP 22). Only hosts on the corporate network (10.0.0.0/16) may reach either service. The instance must also be able to initiate exactly two outbound sessions: HTTPS to the corporate Git server at 10.20.30.40 and HTTPS to the VPC's S3 interface endpoint. All other inbound and outbound traffic must be blocked. You will enforce this policy with the instance's firewalld (iptables) configuration, leaving the existing VPC security-group rules unchanged. Which firewalld rule strategy best satisfies the requirement while following the principle of least privilege?
Set the default zone target to DROP and add rules that allow TCP 22 and 8443 from 10.0.0.0/16; keep the default outbound policy at ACCEPT so the instance can reach any external service if needed.
Leave the default zone target at ACCEPT and add rich rules to reject all inbound ports except 22 and 8443; do not add any outbound rules so that the default ACCEPT continues to allow egress.
Change the default zone target to DROP; add rich rules that allow TCP 22 and 8443 only from the 10.0.0.0/16 corporate network; add two egress rules that allow TCP 443 to 10.20.30.40 and to the S3 VPC endpoint CIDR; rely on the implicit final DROP to block all other traffic.
Make no changes to firewalld and instead tighten the instance's security-group rules; rely on the VPC security group to control both inbound and outbound traffic.
The most secure approach is to establish a default-deny posture and then explicitly permit only the required flows. Changing the zone target to DROP causes any packet that does not match a rule to be discarded. Two inbound rules are then added to allow TCP 22 and TCP 8443 only from the 10.0.0.0/16 corporate CIDR, satisfying the administration and application access requirements. Two outbound rules permit TCP 443 to the specific Git server (10.20.30.40) and to the S3 interface endpoint's address range, enabling just the needed egress traffic. Because the target is DROP, all other ingress and egress attempts are automatically blocked, fully enforcing least privilege.
A configuration that retains an ACCEPT target but tries to block unwanted traffic leaves any overlooked port open. Allowing only inbound rules while leaving the default outbound ACCEPT policy would still let the instance contact arbitrary external hosts. Relying solely on the VPC security group does not meet the stated requirement to enforce controls at the host operating-system level.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is firewalld and how does it work?
Open an interactive chat with Bash
What is meant by the principle of least privilege and why is it important?
Open an interactive chat with Bash
What is a zone target in firewalld?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .