Crucial Exams

AWS Certified Solutions Architect Professional SAP-C02 Practice Question

A solutions architect is hardening a private application subnet (Subnet-App) in a production VPC. The subnet contains Amazon Linux EC2 instances that call an external SaaS endpoint over HTTPS through a NAT gateway in a public subnet.

The security group attached to the instances already allows all outbound traffic and no inbound traffic.

A new compliance requirement states that:

  • Only HTTPS (TCP 443) egress to the internet must be allowed, and
  • All other ports must be blocked, while
  • Return traffic for legitimate connections must continue to function.

The architect attaches a custom network ACL (NACL) to Subnet-App with these rules:

Inbound rules
100 - Allow TCP 443 0.0.0.0/0
120 - Deny ALL 0.0.0.0/0

Outbound rules
100 - Allow TCP 443 0.0.0.0/0
120 - Deny ALL 0.0.0.0/0

After the change, outbound HTTPS sessions time-out.

Which modification to the NACL will satisfy the requirement with the fewest additional rules?

  • Replace the NACL with a security group because NACLs are stateful and already allow return traffic.

  • Add an inbound rule that allows TCP ports 1024-65535 from 0.0.0.0/0.

  • Add an inbound rule that allows TCP port 443 from the NAT gateway's Elastic IP address.

  • Add an outbound rule that allows TCP ports 1024-65535 to 0.0.0.0/0.

AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot