SAP-C02 · Question #841
SAP-C02 Question #841: Real Exam Question with Answer & Explanation
The correct answer is D: Create a firewall in AWS Network Firewall. Create a stateful rule group that has a rule that denies. Security groups can’t deny, and NACLs are stateless/port-based only-SSH can be run on any TCP port. AWS Network Firewall lets you create stateful rules that match SSH (by port or protocol signature) and explicitly deny it, then force all egress through the firewall endpoint via a
Question
A company wants to improve the security posture for a group of Amazon EC2 instances. The EC2 instances run behind an Application Load Balancer (ALB) in a VPC. The EC2 instances have a route to the internet. A solutions architect must ensure that the EC2 instances cannot open outbound SSH connections on any port to communicate with systems on the internet. Which solution will meet this requirement?
Options
- AIn the VPC, create an outbound network ACL rule that denies SSH over any port.
- BIn the VPC, create an outbound security group rule that denies SSH over any port.
- CCreate an AWS WAF web ACL that has a rule that blocks access to all IP addresses for SSH.
- DCreate a firewall in AWS Network Firewall. Create a stateful rule group that has a rule that denies
Explanation
Security groups can’t deny, and NACLs are stateless/port-based only-SSH can be run on any TCP port. AWS Network Firewall lets you create stateful rules that match SSH (by port or protocol signature) and explicitly deny it, then force all egress through the firewall endpoint via a route table. That prevents outbound SSH from the instances to the internet.
Community Discussion
No community discussion yet for this question.