ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 488 discussion

Exam question from Amazon's AWS-SysOps
Question #: 488
Topic #: 1
[All AWS-SysOps Questions]

A user has configured two security groups which allow traffic as given below:
1: SecGrp1:
Inbound on port 80 for 0.0.0.0/0
Inbound on port 22 for 0.0.0.0/0
2: SecGrp2:
Inbound on port 22 for 10.10.10.1/32
If both the security groups are associated with the same instance, which of the below mentioned statements is true?

  • A. It is not possible to have more than one security group assigned to a single instance
  • B. It allows inbound traffic for everyone on both ports 22 and 80
  • C. It is not possible to create the security group with conflicting rules. AWS will reject the request
  • D. It allows inbound traffic on port 22 for IP 10.10.10.1 and for everyone else on port 80
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
A user can attach more than one security group to a single EC2 instance. In this case, the rules from each security group are effectively aggregated to create one set of rules. AWS uses this set of rules to determine whether to allow access or not. Thus, here the rule for port 22 with IP 10.10.10.1/32 will merge with IP
0.0.0.0/0 and open ports 22 and 80 for all.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
by karmaah at Dec. 21, 2019, 7:08 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
albert_kuo
10 months, 1 week ago
Selected Answer: B
If there is more than one rule for a specific port, we apply the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1 and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22. https://serverfault.com/a/686273
upvoted 1 times
...
xxxdolorxxx
2 years, 5 months ago
B seems to be correct.
upvoted 1 times
...
wannaaws
2 years, 6 months ago
B. According to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html If there is more than one rule for a specific port, Amazon EC2 applies the most permissive rule. For example, if you have a rule that allows access to TCP port 22 (SSH) from IP address 203.0.113.1, and another rule that allows access to TCP port 22 from everyone, everyone has access to TCP port 22.
upvoted 3 times
...
anishmn10
2 years, 6 months ago
D is correct
upvoted 1 times
anishmn10
2 years, 6 months ago
correcting B
upvoted 1 times
...
...
sen12
2 years, 6 months ago
Yes, it will allow both the traffic from 0.0.0.0/0 and also from the IP 10.10.10.1/32. Ideally, any traffic will be allowed through 22 using the SecGrp1 and if anything specifically from 10.10.10.1/32 through 22 will be using the SecGrp2.
upvoted 1 times
...
karmaah
2 years, 7 months ago
Can anyone explain, in what Order it merges 0.0.0.0/0 with 10.10.10.1/32 to allow the port 22.
upvoted 1 times
karmaah
2 years, 6 months ago
Done little research. 1. segGrp1: Inbound on port 22 for 0.0.0.0/0 2: SecGrp2: Inbound on port 22 for 10.10.10.1/32 Since there is no default Deny process. SG allows Both.
upvoted 6 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago