Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 25 discussion

For security group outbound rule is automatically allowed as security groups are stateful, NACL is stateless, so answer will be D as we need to allow the outbound rule in VPC's NACL.

the most direct and likely solution is to configure the EC2 instance's security group to allow inbound ICMP traffic. The NACL is less likely to be the primary cause in this scenario.

I failed to see how option D is correct and how this is an outbound issue. In the logs 203.0.113.2 is the source ip address sending a ping to 172.31.16.139, this is the outbound ICMP traffic which accepted. It is the inbound ICMP coming from 172.31.16.139 that is rejected, maknig this the return inbound ICMP traffic. The question states the ping was initiated from the Host IP address 203.0.113.12 (source ip) making 172.31.16.139 the destination. Based on the logs Option C is the correct answer.

D is the right option.

see https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups the NACL is blocking the outbound response

There are multiple possible cause. https://arcadian.cloud/aws/2022/07/01/4-reasons-you-cannot-ping-your-aws-ec2-instance-and-how-to-fix-them/ Base on the logs, only one direction is not successful. Likely its #4 - NACL.

It's the EC2 instance IP area from where the ping didn't get the response back to the on-prem location which is clearly a usecase of NACL area. Therefore, def. going with 'D'.

NACLs are stateless and do not track the state of a connection, while Security Groups are stateful and allow traffic based on the response to previous traffic. Default rule: NACLs have a default rule that denies all traffic, while Security Groups have a default rule that allows all traffic.

Answer D

Answer D

Outbound communication on NACL is blocked.

it is D

I think its B

Answer D

https://www.examtopics.com/discussions/amazon/view/16473-exam-aws-certified-security-specialty-topic-2-question-8/