AWS Certified Advanced Networking - Specialty

Get started today

Ultimate access to all questions.

A company operates a workload in a single VPC on AWS, utilizing interface VPC endpoints for services such as Amazon CloudWatch Logs and AWS Key Management Service (AWS KMS). These endpoints share a security group that is not used by any other workloads or resources. Following a security review, the company identified that the shared security group is overly permissive and aims to tighten its rules without disrupting access to AWS services through the interface VPC endpoints, while eliminating unnecessary access.

The current security group rules are as follows:

Inbound - Rule 1
Protocol: TCP
Port: 443
Source: 0.0.0.0/0

Inbound - Rule 2
Protocol: TCP
Port: 443
Source: VPC CIDR

Outbound - Rule 1
Protocol: All
Port: All
Destination: 0.0.0.0/0

Which rule or rules should the company remove to meet these requirements?

Exam-Like

Explanation:

The company aims to make the security group rules more restrictive without preventing the resources in the VPC from using AWS services through interface VPC endpoints. The current rules allow all outbound traffic (Outbound - Rule 1) and inbound traffic from any IP address on port 443 (Inbound - Rule 1), which are too permissive. To meet the requirements, the company should remove Inbound - Rule 1, which allows traffic from any IP address, and Outbound - Rule 1, which allows all outbound traffic. This will ensure that only necessary traffic is allowed, specifically traffic from within the VPC CIDR on port 443 (Inbound - Rule 2), which is essential for the interface VPC endpoints to function correctly. Therefore, the correct action is to remove Inbound - Rule 1 and Outbound - Rule 1.