Q31 — AWS SCS-C02 Ch.1
Question 31 of 100 | ← Chapter 1
A company hosts a public website on an Amazon EC2 instance. HTTPS traffic must be able to access the website. The company uses SSH for management of the web server. The website is on the subnet 10.0.1.0/24. The management subnet is 192.168.100.0/24. A security engineer must create a security group for the EC2 instance. Which combination of steps should the security engineer take to meet these requirements in the MOST secure manner? (Choose two.)
- A. Allow port 22 from source 0.0.0.0/0.  
- B. Allow port 443 from source 0.0.0.0/0.   ✓
- C. Allow port 22 from 192.168.100.0/24.   ✓
- D. Allow port 22 from 10.0.1.0/24.  
- E. Allow port 443 from 10.0.1.0/24.
Correct Answer: B. Allow port 443 from source 0.0.0.0/0.  , C. Allow port 22 from 192.168.100.0/24.  
Explanation
AWS安全组配置需遵循最小权限原则。允许来自任意IP的HTTPS(443端口)以确保网站可公开访问。SSH(22端口)仅限管理子网(192.168.100.0/24)以降低风险。参考AWS安全最佳实践,开放必要端口且限制来源范围。选项B满足HTTPS访问需求,C限制SSH访问到指定管理子网,其余选项或扩大权限(A、D、E)或错误限制必要流量(E)。