Back to Amazon EC2

Security Groups

5 minutes 5 Questions

A security group is a virtual firewall that controls the traffic for one or more Amazon EC2 instances. You can create security groups based on your requirements and then assign them to your instances, allowing or denying traffic based on rules. Rules can be configured for both inbound and outbound …

Test mode:
Start practice test
AWS Certified Solutions Architect - Security Groups Example Questions

Test your knowledge of Security Groups

Question 1

An Amazon EC2 instance must send email via Amazon SES using the SMTP interface (not the SES API). The instance does not need to accept any inbound email connections. How should its security group be configured to allow this traffic?

Correct Answer: Allow outbound traffic on port 25, 587, or 465 to the SES endpoint

When sending email through Amazon SES using the SMTP interface, the EC2 instance must initiate an outbound TCP connection to the regional SES SMTP endpoint on one of the SMTP ports (25, 587, or 465). Security groups are stateful, so only an outbound rule is required; SES does not initiate inbound connections to the instance for sending mail. Ports 80/443 are for the HTTPS API (SDK) path, not SMTP. Note that AWS may throttle port 25 by default; using ports 587 or 465 or requesting port 25 unblocking may be necessary, but the correct security group configuration remains outbound access to the SES SMTP ports.

Question 2

You manage an Auto Scaling group that launches Amazon Linux 2 instances in a private subnet. The VPC has a NAT gateway in a public subnet and an Internet Gateway. At boot, the instances must install the latest security updates using yum/dnf. The security group attached to the instances is configured for least privilege (no default allow-all egress). Which outbound security group rules must be configured to enable the instances to successfully obtain updates while minimizing exposure?

Correct Answer: Allow outbound TCP 80 and 443 to 0.0.0.0/0, and allow outbound DNS (UDP and TCP 53) to AmazonProvidedDNS (the VPC DNS resolver).

Instances in a private subnet download updates via the NAT gateway, so their security group must permit egress to the internet on HTTP/HTTPS (TCP 80/443). Because yum/dnf accesses repositories by hostname, the instances also need DNS resolution. In a VPC, instances typically use AmazonProvidedDNS (the VPC resolver) for DNS, which requires outbound UDP and TCP port 53 to that resolver address. Security groups are stateful, so return traffic is automatically allowed. Allowing only these ports follows least-privilege while ensuring updates succeed.

Question 3

An Amazon RDS instance runs in a private subnet and must be reachable only from the company’s on‑premises network over a site‑to‑site VPN. To protect the database from unauthorized access, which security group rule on the RDS instance should be configured?

Correct Answer: Allow inbound traffic from the organization's IP range to the port used by the RDS

To restrict access to an Amazon RDS instance so only the organization's network can connect, you should add an inbound rule on the RDS security group that allows the database port (for example, 3306 for MySQL, 5432 for PostgreSQL) from the organization's IP range (or on‑premises CIDR over VPN/Direct Connect). Security groups are stateful, and inbound rules determine who can initiate connections to the RDS. Allowing inbound from 0.0.0.0/0 exposes the database to the public internet, which is insecure. Outbound rules on the RDS security group do not control who can initiate inbound connections; therefore, outbound to 0.0.0.0/0 or from the organization's IP range does not achieve the required restriction.

More Security Groups questions
15 questions (total)
Start 15 question test