Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 285 discussion

Answer is B you need to accept ephemeral range for your tcp response to flow back 443 <-> 1000-65535 example custom network acl https://docs.aws.amazon.com/vpc/latest/userguide/custom-network-acl.html

Responses to requests sent to port 443 will use ephemeral ports (1024–65535). As for option C, allowing inbound traffic on ephemeral ports (1024–65535) is in rule 200, which is evaluated after the rule denying MySQL traffic (rule 100), returning traffic will be blocked before being allowed.

This configuration ensures that: Inbound traffic on MySQL port 3306 is denied. Inbound traffic on TCP port 443 (used for TLS) is allowed. Outbound traffic on TCP port 443 is allowed. This setup improves the subnet security by restricting unwanted inbound traffic while allowing necessary outbound traffic for internet services using TLS.

The correct answer is: D Use inbound rule 100 to deny traffic on TCP port 3306. Use inbound rule 200 to allow traffic on TCP port 443. Use outbound rule 100 to allow traffic on TCP port 443. Explanation: Inbound Rule 100 to deny traffic on TCP port 3306: This rule denies inbound traffic on MySQL’s default port (3306). It ensures that no traffic can reach the EC2 instances on that port from external sources. Inbound Rule 200 to allow traffic on TCP port 443: This rule allows inbound HTTPS (TLS) traffic on port 443, which is required for your application to communicate with an external internet service over HTTPS. Outbound Rule 100 to allow traffic on TCP port 443: This rule allows outbound traffic from the EC2 instances on port 443. It ensures that the EC2 instances can establish outbound connections to the internet over HTTPS. This rule set allows secure internet access for outbound TLS traffic on port 443 while denying inbound MySQL traffic on port 3306, fulfilling both requirements for security.