Exam AWS Certified SysOps Administrator - Associate topic 1 question 415 discussion

Answer is C. please see the section "Accepted and rejected traffic" example in below page https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-accepted-rejected

C A is not an option - "Security group rules are always permissive; you can't create rules that deny access." https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html

The VPC flow log entry provided in the question shows a REJECT action, which indicates that the traffic is being blocked by a network ACL (NACL) rule. The flow log entry shows the following details: - Source IP: 192.0.2.15 (which is likely the client's IP address) - Destination IP: 203.0.113.56 (which is likely the EC2 instance's IP address) - Destination port: 443 (which is the standard HTTPS port) - Protocol: 6 (which is TCP)

In accordingly to the document https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-accepted-rejected is reported that: "If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance." So in our case we have a sigle REJECT record then the problem is related to security group the not permit the traffic on 443 port. For me Answer is A

This Question is tricky https://www.examtopics.com/discussions/amazon/view/50839-exam-aws-certified-sysops-administrator-associate-topic-1/

Its C, as "eni" is showing that the elastic network interface (network ACL) is denying the request

I think this is C