Which solution will provide the vendors access to the application?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company has deployed servers on Amazon EC2 instances in a VPC.External vendors access these servers over the internet.Recently, the company deployed a new application on EC2 instances in a new CIDR range.The company needs to make the application available to the vendors.A security engineer verified that the associated security groups and network ACLs are allowing the required ports in the inbound diction.However, the vendors cannot connect to the application.

Which solution will provide the vendors access to the application?

Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.

Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.

Modify the inbound rules on the internet gateway to allow the required ports.

Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.

Explanations:

Security groups in AWS are stateful, meaning that if an inbound rule allows traffic, the response traffic is automatically allowed, so outbound rules do not need to match inbound rules.

Network ACLs in AWS are stateless, so they require explicit outbound rules to allow return traffic. Allowing outbound traffic to ephemeral ports will enable the response connection.

Internet gateways do not have configurable rules for inbound or outbound traffic. Access control is managed through security groups and network ACLs.

While network ACLs require matching inbound and outbound rules for two-way traffic, the specific issue here involves allowing outbound traffic to ephemeral ports, not all inbound ports.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × three =