AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has a web server running on an Amazon EC2 instance in a public subnet with an Elastic IP address. The default security group is assigned to the EC2 instance. The default network ACL has been modified to block all traffic. A solutions architect needs to make the web server accessible from everywhere on port 443.

Which combination of steps will accomplish this task? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0.

Create a security group with a rule to allow TCP port 443 to destination 0.0.0.0/0.

Update the network ACL to allow TCP port 443 from source 0.0.0.0/0.

Update the network ACL to allow inbound/outbound TCP port 443 from source 0.0.0.0/0 and to destination 0.0.0.0/0.

Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0.

Explanation:

Explanation

To make the web server accessible on port 443, we need to address both Security Groups and Network ACLs:

1. Security Group (Option A)

Security groups act as stateful firewalls at the instance level
Since the default security group is currently assigned (which by default allows all outbound traffic but no inbound traffic), we need to create a new security group with an inbound rule allowing TCP port 443 from anywhere (0.0.0.0/0)
Option A correctly creates this rule
Option B is incorrect because security group rules specify source, not destination

2. Network ACL (Option E)

Network ACLs act as stateless firewalls at the subnet level
Since the default network ACL has been modified to block all traffic, we need to add specific rules:
- Inbound: Allow TCP port 443 from source 0.0.0.0/0 (for incoming HTTPS requests)
- Outbound: Allow ephemeral ports 32768-65535 to destination 0.0.0.0/0 (for response traffic)
Option E correctly specifies both inbound and outbound rules with the proper ephemeral port range
Option C is incomplete because it only addresses inbound traffic without considering outbound responses
Option D is incorrect because it suggests allowing outbound traffic on port 443, but responses use ephemeral ports, not port 443

Why the other options are incorrect:

Option B: Security group rules use source addresses, not destination addresses
Option C: Only addresses inbound traffic; responses would be blocked by the network ACL
Option D: Incorrectly specifies outbound traffic on port 443; responses use ephemeral ports

Key AWS Concepts:

Security Groups: Stateful - return traffic is automatically allowed
Network ACLs: Stateless - both inbound and outbound rules must be explicitly configured
Ephemeral Ports: TCP/IP uses ephemeral ports (32768-65535) for client-side connections in response traffic

Powered ByGPT-5.2

Comments

Loading comments...