Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 92 discussion

Network ACLs are stateless, meaning you need to explicitly allow both inbound and outbound traffic. While the inbound rules might be correctly configured, the outbound rules might be blocking the return traffic. Allowing outbound traffic to ephemeral ports (typically ports 1024-65535) ensures that the response traffic to the vendors.

Ephemeral ports are necessary for certain network responses and are dependant on the client type (O/S)... The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000. Requests originating from Elastic Load Balancing use ports 1024-65535. Windows operating systems through Windows Server 2003 use ports 1025-5000. Windows Server 2008 and later versions use ports 49152-65535. A NAT gateway uses ports 1024-65535. AWS Lambda functions use ports 1024-65535. For example, if a request comes into a web server in your VPC from a Windows 10 client on the internet, your network ACL must have an outbound rule to enable traffic destined for ports 49152-65535. REF: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports

I don't understand why they are called 'ephmeral' ports

Definitely B.

Did someone take the test recently? How many questons appeared from here?

Agreed with B.

B. You must allow the ephemeral ports in the outbound NACL for the CIDR range.

correct