SOA-C02 Question #50: Real Exam Question with Answer & Explanation

Question

An Amazon EC2 instance is in a private subnet. To SSH to the instance, it is required to use a bastion host that has an IP address of 10.0.0.5. SSH logs on the EC2 instance in the private subnet show that connections are being made over SSH from several other IP addresses. The EC2 instance currently has the following inbound security group rules applied: Protocol: TCP Port: 22 Source: 10.0.0.5/32 Protocol: TCP Port: 22 Source: sg-xxxxxxxx Protocol: TCP Port: 389 Source: 0.0.0.0/0 What is the MOST likely reason that another IP addresses is able to SSH to the EC2 instance?

Options

• AThe rule with 0.0.0.0/0 means SSH is open for any client to connect
• BThe rule with /32 is not limiting to a single IP address
• CAny instance belonging to sg-xxxxxxxx is allowed to connect
• DThere is an outbound rule allowing SSH traffic

Explanation

Option C is correct because the second inbound rule references a security group ID (sg-xxxxxxxx) as its source, which grants SSH access to any EC2 instance that belongs to that security group - not just a single IP. If multiple instances share that security group, all of them can SSH to the private instance, which explains the unexpected IP addresses appearing in the logs.

Why the distractors are wrong:

• A is wrong because port 389 (LDAP) is open to 0.0.0.0/0, not port 22 - SSH is not open to all IPs.
• B is wrong because /32 in CIDR notation does mean exactly one IP address (the maximum prefix length for IPv4).
• D is wrong because security groups are stateful, and outbound rules don't allow unsolicited inbound SSH connections from other hosts.

Memory tip: Think of a security group source rule as a membership pass - referencing sg-xxxxxxxx as a source means "anyone holding this pass gets in," regardless of their IP address. Always audit security group references, not just CIDR ranges, when locking down access.

No community discussion yet for this question.