AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An operations engineer is defining security for a newly deployed three-tier web application in a single VPC. The application tier EC2 instances reside in private subnets and receive traffic exclusively from an internal Application Load Balancer. The engineer must permit only the load balancer to initiate HTTPS connections to the instances, even when the load balancer scales. How should the security group for the application tier be configured?
Add an inbound rule that allows TCP 443 with the source set to the load balancer's subnet CIDR ranges.
Attach the load balancer's security group to the application EC2 instances instead of creating a separate security group.
Add an inbound rule that allows TCP 443 with the source set to the security group ID of the Application Load Balancer.
Create a network ACL for the private subnets that allows inbound TCP 443 from 0.0.0.0/0.
Referencing the load balancer's security group in the application tier security group provides least-privilege, stateful filtering that scales automatically. An inbound rule that allows TCP 443 from the ALB's security group ID admits traffic only from ENIs that belong to the load balancer, regardless of how many nodes AWS adds or removes. Using subnet CIDR blocks is broader and would also allow any other resource in those subnets. Attaching the ALB's security group to the instances breaks the tiered model and overrides intended instance rules. Network ACLs are stateless and the proposed rule is overly permissive, exposing the instances to the entire internet.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of referencing a security group ID in the inbound rules for an EC2 instance?
Open an interactive chat with Bash
How does AWS handle scaling for load balancers in relation to security group rules?
Open an interactive chat with Bash
Why are Network ACLs not suitable for the given scenario?
Open an interactive chat with Bash
What is a security group in AWS?
Open an interactive chat with Bash
What is an Application Load Balancer's role in an AWS architecture?
Open an interactive chat with Bash
Why is referencing the security group ID of the ALB better than using subnet CIDR ranges in this scenario?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .