AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
After applying a custom network ACL to a private subnet that hosts EC2 instances that call external SaaS APIs through a NAT gateway, outbound HTTPS traffic fails. The ACL allows outbound TCP 443 to 0.0.0.0/0 and denies all other outbound traffic. Inbound rules allow TCP 22 from 10.0.0.0/16 and TCP 443 from 0.0.0.0/0, then deny all. Which modification will restore connectivity with least privilege?
Add an outbound allow rule for TCP ports 1024-65535 to 0.0.0.0/0.
Change the existing outbound rule to allow all protocols to 0.0.0.0/0.
Add an inbound allow rule for TCP ports 1024-65535 from 0.0.0.0/0.
Replace the outbound rule with UDP port 443 to 0.0.0.0/0.
Network ACLs are stateless, so return traffic must be explicitly permitted. When an instance initiates an HTTPS session, the reply from the remote host arrives from source port 443 and is addressed to an ephemeral port (1024-65535) on the instance. Because the inbound rule set does not currently allow that destination port range, the response is dropped, breaking the connection. Adding an inbound rule that allows TCP 1024-65535 from any source permits only the necessary return traffic while leaving other traffic blocked, satisfying the principle of least privilege. Allowing the same range on the outbound side does nothing for inbound return packets, and opening all ports or all protocols is less restrictive than required.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are Network ACLs stateless?
Open an interactive chat with Bash
What is an ephemeral port and why is it needed in this scenario?
Open an interactive chat with Bash
What does 'least privilege' mean in the context of network security?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .