Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 25 discussion

For security group outbound rule is automatically allowed as security groups are stateful, NACL is stateless, so answer will be D as we need to allow the outbound rule in VPC's NACL.

The best option is D This is why: Looking closely at the Flow Log Analysis: There are two entries: ACCEPT – From 203.0.113.12 to 172.31.16.139 (on-premises to EC2) REJECT – From 172.31.16.139 to 203.0.113.12 (EC2 to on-premises) This tells us that: The inbound request (ICMP Echo Request) from on-prem to EC2 is allowed. The outbound reply (ICMP Echo Reply) from EC2 to on-prem is rejected. Conclusion: The ping fails because the outbound ICMP reply from the EC2 instance is being blocked. Therefore, the correct answer will be: D. In the VPC’s NACL, allow outbound ICMP traffic. This action will permit the Echo Reply back to the source, allowing the ping to succeed.

the most direct and likely solution is to configure the EC2 instance's security group to allow inbound ICMP traffic. The NACL is less likely to be the primary cause in this scenario.

I failed to see how option D is correct and how this is an outbound issue. In the logs 203.0.113.2 is the source ip address sending a ping to 172.31.16.139, this is the outbound ICMP traffic which accepted. It is the inbound ICMP coming from 172.31.16.139 that is rejected, maknig this the return inbound ICMP traffic. The question states the ping was initiated from the Host IP address 203.0.113.12 (source ip) making 172.31.16.139 the destination. Based on the logs Option C is the correct answer.

D is the right option.

see https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups the NACL is blocking the outbound response

There are multiple possible cause. https://arcadian.cloud/aws/2022/07/01/4-reasons-you-cannot-ping-your-aws-ec2-instance-and-how-to-fix-them/ Base on the logs, only one direction is not successful. Likely its #4 - NACL.

It's the EC2 instance IP area from where the ping didn't get the response back to the on-prem location which is clearly a usecase of NACL area. Therefore, def. going with 'D'.

NACLs are stateless and do not track the state of a connection, while Security Groups are stateful and allow traffic based on the response to previous traffic. Default rule: NACLs have a default rule that denies all traffic, while Security Groups have a default rule that allows all traffic.

Answer D

Answer D

Outbound communication on NACL is blocked.

it is D

I think its B

Answer D

https://www.examtopics.com/discussions/amazon/view/16473-exam-aws-certified-security-specialty-topic-2-question-8/