An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny
all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all
outbound traffic. What changes need to be made to allow SSH access to the instance?
A.
The outbound security group needs to be modified to allow outbound traffic.
B.
The outbound network ACL needs to be modified to allow outbound traffic.
C.
Nothing, it can be accessed from any IP address using SSH.
D.
Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.
Explanation:
Need to open TCP Port 1024-65535 at Outbound Rules
“Allows outbound responses to the remote computer. Network ACLs are stateless, therefore this rule is
required to allow response traffic for inbound requests.”
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
B
Never customize Network ACL’s unless absolutely necessary. Do as much as possible with security groups as they are stateful.
In other words, the answer is B
Because Security Group is statefull, if some traffic allowed incoming, the outcouming for the traffic will be allowed. So you do not need modify the outbound traffic for security group