Q52 — AWS SCS-C02 Ch.1

Question 52 of 100 | ← Chapter 1

A company has deployed servers on Amazon EC2 instances in a VPC. External vendors access these servers over the internet. Recently, the company deployed a new application on EC2 instances in a new CIDR range. The company needs to make the application available to the vendors. A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound direction. However, the vendors cannot connect to the application. Which solution will provide the vendors access to the application?

Correct Answer: B. Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.  

Explanation

网络ACL是无状态的,需单独配置出站规则。AWS文档指出,客户端使用临时端口接收响应,必须明确允许出站流量至这些端口。题目中新CIDR范围的网络ACL可能未配置出站规则的临时端口,导致连接失败。选项B修正此问题。其他选项中,安全组默认允许所有出站流量(A不必要);互联网网关无入站规则配置(C错误);出入规则对称(D)不适用临时端口场景。答案B符合AWS网络ACL最佳实践。