AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company runs a two-tier web app in one VPC. An internet-facing ALB in public subnets listens on TCP 443 and forwards to EC2 instances in private subnets. Security group SG-ALB allows TCP 443 from 0.0.0.0/0. Security group SG-App also allows TCP 443 from 0.0.0.0/0. An audit requires SG-App to accept traffic only from the ALB. What is the most operationally efficient change?

Add an outbound rule to SG-ALB that allows TCP 443 to SG-App and remove the inbound rule from SG-App.
Replace the inbound rule in SG-App to allow TCP 443 from the security group SG-ALB.
Replace the inbound rule in SG-App to allow TCP 443 from the private subnet CIDR ranges that host the ALB's network interfaces.
Replace the inbound rule in SG-App to allow TCP 443 from the public subnet CIDR ranges that host the ALB.

Report Issue

Answer Description

Referencing the ALB's security group as the source of an inbound rule automatically limits traffic to the network interfaces that are currently associated with that security group. This approach scales with the ALB, requires no manual updates when IP addresses or subnets change, and maintains stateful return traffic without additional rules. Specifying subnet CIDR blocks would need updates if the ALB is moved or if new subnets are added, and modifying only outbound rules on SG-ALB does not allow the instances to accept the inbound connection. Therefore, replacing the inbound rule in SG-App to allow TCP 443 from SG-ALB is the correct and least-maintenance solution.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.