nerdexam
ExamsANS-C01Questions#291
AmazonAmazon

ANS-C01 · Question #291

ANS-C01 Question #291: Real Exam Question with Answer & Explanation

The correct answer is B: Inbound - Rule 1 and Outbound - Rule 1. Inbound Rule 1 (Allow TCP 443 from 0.0.0.0/0): This rule allows all sources, including the public internet, to access the interface VPC endpoints. Since interface VPC endpoints are used within the VPC for communication with AWS services, this rule is unnecessarily permissive. Rem

Submitted by naveen.iyer· Mar 6, 2026Network Security

Question

A company runs a workload in a single VPC on AWS. The company's architecture contains several interface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS Key Management Service (AWS KMS). The endpoints are configured to use a shared security group. The security group is not used for any other workloads or resources. After a security review of the environment, the company determined that the shared security group is more permissive than necessary. The company wants to make the rules associated with the security group more restrictive. The changes to the security group rules must not prevent the resources in the VPC from using AWS services through interface VPC endpoints. The changes must prevent unnecessary access. The security group currently uses the following rules: Inbound - Rule 1 Protocol: TCP Port: 443 Source: 0.0.0.0/0 Inbound - Rule 2 Protocol: TCP Port: 443 Source: VPC CIDR Outbound - Rule 1 Protocol: All Port: All Destination: 0.0.0.0/0 Which rule or rules should the company remove to meet with these requirements?

Options

  • AOutbound - Rule 2
  • BInbound - Rule 1 and Outbound - Rule 1
  • CInbound - Rule 2 and Outbound - Rule 1
  • DOutbound - Rule 1

Explanation

Inbound Rule 1 (Allow TCP 443 from 0.0.0.0/0): This rule allows all sources, including the public internet, to access the interface VPC endpoints. Since interface VPC endpoints are used within the VPC for communication with AWS services, this rule is unnecessarily permissive. Removing this rule enhances security while still allowing communication within the VPC using Rule 2 (TCP 443 from the VPC CIDR). Outbound Rule 1 (Allow All Protocols, All Ports to 0.0.0.0/0): This rule is overly permissive and unnecessary for interface VPC endpoints, as traffic destined for AWS services through these endpoints does not need unrestricted outbound access. Removing this rule ensures that outbound traffic is limited to what is required for communication with the AWS services through the interface endpoints.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full ANS-C01 PracticeBrowse All ANS-C01 Questions