Exam AWS Certified Security - Specialty topic 1 question 47 discussion

C is Correct

C is correct We assumed that the EC2 is a HTTP server. Therefore target port of incoming traffic is 80 or 443, and source port of incoming traffic is a ephemeral port (enduser's port). Responses from the HTTP server will be outgoing traffic with target port being ephemeral and source port being 80 or 443. security groups are sessionful, therefore we dont need a outbound security group ACL are sessionless and we need to specify an outbound rule. This rule should have 80 or 443 as source port and ephemeral as target port

The answer is C because security groups are stateful and NACL's are stateless. Since NACL's are stateless traffic must be enabled in both directions.

C is correct. NACL is stateless and requires permitting outbound ephemeral ports.

NACL is stateless which means you have to set the outbound rules, default rules wont work.

C is the answer

C it is. A B are out of the question becuse SGs are stateful so if inbound is working outbound is ok too. D is wrong traffic to the public internet has to be done on ephemeral ports not 80.

C. An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.

question says " but contains no outward restrictions." isn't this mean outbound rule already exists. Default outbound rule is deny all and on this custom rule no restrictions exists??

C is the answer Ref: https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/

C is my answer.!

C. why? NACLs are stateless. On that account, changes applicable to an incoming rule will not be applicable to the outgoing rule, and hence you have to configure the outbound as well.

Ans: C 100%

The correct answer is C, not D. Network ACL outbound rule must contain ephemeral ports.

C is Correct

Ans > C https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports

Ans (C)