What changes need to be made to allow SSH access to the instance?

An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and
deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and
deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and
deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and
deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

A.
The outbound security group needs to be modified to allow outbound traffic.

B.
The outbound network ACL needs to be modified to allow outbound traffic.

C.
Nothing, it can be accessed from any IP address using SSH.

D.
Both the outbound security group and outbound network ACL need to be modified to allow outbound
traffic.

Show Hint

Leave a Reply 44

Your email address will not be published. Required fields are marked *

Harsh Wardhan

Harsh Wardhan

B >> As NACL is stateless in nature.

Reply

Manu

Manu

JM is right Network ACLs are stateless

Reply

Rajasekaran

Rajasekaran

C,D

Reply

Rajasekaran

Rajasekaran

sorry, Answer is B

Reply

seenagape

seenagape

I choose D

Reply

Senator

Senator

B is correct

Reply

Senator

Senator

Outside ACL being stateless, it supersedes security groups as they are applied on the subnet level

Reply

Kranthi Kumar Katepalli

Kranthi Kumar Katepalli

B

Reply

Guvenor

Guvenor

B should be correct because, Security group is stateful while nACL is stateless. But if you want to be politically correct the D is the right.

Reply

engmohhamed

engmohhamed

I think answer is B
no need to enable outbound traffic for security group as it is state-full unlike ACL (state-less)

Reply

austin

austin

coding.smashingmagazine.com/2013/01/30/introduction-to-firewalls/
gives a very cleary explaination for Firewall Statless and state. Inbound and Outbond.

Thus, the answer is B.

Reply

Mayur

Mayur

B is right. In security group, you can not add “DENY” rules.

Reply

Wasil

Wasil

Correct Answer is B as Security groups can specify only Allow rules, but not deny rules

and by default security groups allow all outbound traffic

Reply

co

co

B

ACL’s are stateless

Reply

kalel

kalel

C is correct. I tested it. The instance’s security group is configured to only allow SSH from IP address and deny all outbound traffic. But SSH access to the instance. It isn’t nessesary outbound traffic.

Reply

Umanath Nayak

Umanath Nayak

C is the correct answer . ssh DOES NOT require Outbound Traffic permissions . As long as inbound traffic to port 22 is allowed , you should be fine.

Reply

Sri

Sri

I tested this and found option “D” is the correct answer.

Reply

Junaid

Junaid

Can you explain it a bit about the setup and security group that you were using.

As per the link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

You can specify allow rules, but not deny rules.
You can specify separate rules for inbound and outbound traffic.
When you create a security group, it has no inbound rules. Therefore, no inbound traffic is allowed until you add inbound rules to the security group.
By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.
Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Reply

Flengio

Flengio

C is the correct answer

Reply

Allen

Allen

The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic

C = Correct because it says ANY IP is allowable into but DENY going out

Reply

deathless

deathless

Too many different answers. Just gone ahead and replicated this requirement, then, run instance and was able to connect/login via SSH without any issues.

C appears to correct answer.

Reply

Anthony

Anthony

D is right. Even though security groups are stateful by default, in this case the outbound rule had been modified to deny all outbound traffic. So it needs changing to allowed. As NACL are stateless, it naturally needs outbound rules modified.

Reply

Anthony

Anthony

yeah , answer is C…

Reply

Anthony

Anthony

Nah, answer is D. You can remove outbound rule in security groups ,which effectively denies all outbound traffic. So both SG and NACL need to be modified to allow outbound traffic.

Reply

RP

RP

Modifying Security Group will not be required as they allow configuring only allow.
NACL’s support specifying Deny and NACL will be enforced before changing.
To Enable SSH , it is required to modify only NACL and best option will be B.

Reply

Amit

Amit

B is correct answer

Network ACLs are stateless hence if you have allow rule set for inbound traffic then you should also allow outbound traffic be also set.

Reply

Juan

Juan

Answer is C.

You can enable an Inbound rule in a Security Group, by example SSH access. The rules are stateful in Security Groups. Is not necessary allow output traffic because when you enable a Inbound rule, automatically is allowed output traffic for this port.

Reply

cloud30

cloud30

correct answer B.
The outbound & Inbound network ACL needs to be modified to allow traffic – MUST

Reply

MJ

MJ

B.
The outbound network ACL needs to be modified to allow outbound traffic.

Reply

gamer

gamer

C is the correct answer

Reply

sanjay

sanjay

B is the right answer(tested)

Reply

Johaness

Johaness

tested it, no need to change SG but ACL needs to be added, so B is right

Reply

Suresh

Suresh

A is wrong bcz in SG if inbound is allowed by default outbound is allowed.
B is more like yes, but in the question it states that instance’s security group is configured to allow SSH from any “IP address”- check with A.
c is right, bcz as it is allowed via ssh from any ip address we don’t have to make any changes.
D is wrong as we don’t have any specific option to modify the outbound rule in SG.

Reply

Suresh

Suresh

Sorry but after rephrasing the question, B is the right answer bcz even the security group is allowing SSH from any IP but NACL would block the outbound.
So we need to change the NACL

Reply

QuizBuster

QuizBuster

As Junaid mentioned above, “statefull” means that “responses” to allowed inbound traffic are always allowed back out again. Not any traffic using same ports.

Did a test, with a SG allowing port 22 & 80 in and without any outbound rule. Could easily login via ssh and/or access the index.html file of a httpd service, but wasnt capable using services of same traffic/port type from within the instance going out (ssh into another instance in same SG or yum updates), without adding the corresponding outbound port rules to the SG.

B is the only correct answer.

Reply

My Tuan

My Tuan

B
“An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic”
=> NACL is stateless so you need to modify it.

“The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic”
=> Security Group is stateful so you don’t need to modify anything.

Reply