PrepAway - Latest Free Exam Questions & Answers

What changes need to be made to allow SSH access to the instance?

An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and
deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and
deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

PrepAway - Latest Free Exam Questions & Answers

A.
The outbound security group needs to be modified to allow outbound traffic.

B.
The outbound network ACL needs to be modified to allow outbound traffic.

C.
Nothing, it can be accessed from any IP address using SSH.

D.
Both the outbound security group and outbound network ACL need to be modified to allow outbound
traffic.

44 Comments on “What changes need to be made to allow SSH access to the instance?

  1. Guvenor says:

    B should be correct because, Security group is stateful while nACL is stateless. But if you want to be politically correct the D is the right.




    0



    0
  2. austin says:

    coding.smashingmagazine.com/2013/01/30/introduction-to-firewalls/
    gives a very cleary explaination for Firewall Statless and state. Inbound and Outbond.

    Thus, the answer is B.




    0



    0
  3. Wasil says:

    Correct Answer is B as Security groups can specify only Allow rules, but not deny rules

    and by default security groups allow all outbound traffic




    0



    0
  4. kalel says:

    C is correct. I tested it. The instance’s security group is configured to only allow SSH from IP address and deny all outbound traffic. But SSH access to the instance. It isn’t nessesary outbound traffic.




    0



    0
  5. Umanath Nayak says:

    C is the correct answer . ssh DOES NOT require Outbound Traffic permissions . As long as inbound traffic to port 22 is allowed , you should be fine.




    0



    0
    1. Junaid says:

      Can you explain it a bit about the setup and security group that you were using.

      As per the link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

      You can specify allow rules, but not deny rules.
      You can specify separate rules for inbound and outbound traffic.
      When you create a security group, it has no inbound rules. Therefore, no inbound traffic is allowed until you add inbound rules to the security group.
      By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.
      Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.




      0



      0
  6. Allen says:

    The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic

    C = Correct because it says ANY IP is allowable into but DENY going out




    0



    0
  7. deathless says:

    Too many different answers. Just gone ahead and replicated this requirement, then, run instance and was able to connect/login via SSH without any issues.

    C appears to correct answer.




    0



    0
  8. Anthony says:

    D is right. Even though security groups are stateful by default, in this case the outbound rule had been modified to deny all outbound traffic. So it needs changing to allowed. As NACL are stateless, it naturally needs outbound rules modified.




    0



    0
      1. Anthony says:

        Nah, answer is D. You can remove outbound rule in security groups ,which effectively denies all outbound traffic. So both SG and NACL need to be modified to allow outbound traffic.




        0



        0
  9. RP says:

    Modifying Security Group will not be required as they allow configuring only allow.
    NACL’s support specifying Deny and NACL will be enforced before changing.
    To Enable SSH , it is required to modify only NACL and best option will be B.




    0



    0
  10. Amit says:

    B is correct answer

    Network ACLs are stateless hence if you have allow rule set for inbound traffic then you should also allow outbound traffic be also set.




    0



    0
  11. Juan says:

    Answer is C.

    You can enable an Inbound rule in a Security Group, by example SSH access. The rules are stateful in Security Groups. Is not necessary allow output traffic because when you enable a Inbound rule, automatically is allowed output traffic for this port.




    0



    0
  12. Suresh says:

    A is wrong bcz in SG if inbound is allowed by default outbound is allowed.
    B is more like yes, but in the question it states that instance’s security group is configured to allow SSH from any “IP address”- check with A.
    c is right, bcz as it is allowed via ssh from any ip address we don’t have to make any changes.
    D is wrong as we don’t have any specific option to modify the outbound rule in SG.




    0



    0
    1. Suresh says:

      Sorry but after rephrasing the question, B is the right answer bcz even the security group is allowing SSH from any IP but NACL would block the outbound.
      So we need to change the NACL




      0



      0
  13. QuizBuster says:

    As Junaid mentioned above, “statefull” means that “responses” to allowed inbound traffic are always allowed back out again. Not any traffic using same ports.

    Did a test, with a SG allowing port 22 & 80 in and without any outbound rule. Could easily login via ssh and/or access the index.html file of a httpd service, but wasnt capable using services of same traffic/port type from within the instance going out (ssh into another instance in same SG or yum updates), without adding the corresponding outbound port rules to the SG.

    B is the only correct answer.




    0



    0
  14. My Tuan says:

    B
    “An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic”
    => NACL is stateless so you need to modify it.

    “The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic”
    => Security Group is stateful so you don’t need to modify anything.




    0



    0

Leave a Reply

Your email address will not be published. Required fields are marked *