Question 1,464 of 1,748
Infrastructure SecuritymediumMultiple ChoiceObjective-mapped

SCS-C02 Security group Practice Question

This SCS-C02 practice question tests your understanding of infrastructure security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: security group. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security engineer notices that an Amazon EC2 instance is sending suspicious outbound traffic to an unknown IP address. The instance is part of an Auto Scaling group. The engineer needs to immediately stop the traffic without affecting the availability of the application. What should the engineer do?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "immediately / without restart"

    Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Update the security group attached to the instance to deny outbound traffic to the suspicious IP address.

Option C is correct because modifying the security group's outbound rules to remove the rule that allows traffic to the suspicious IP address effectively blocks the traffic at the instance level without terminating the instance. Security groups are stateful and allow-only; they do not support explicit deny rules. By removing the allow rule, the traffic is implicitly denied. This approach maintains application availability because the instance remains in the Auto Scaling group and continues to serve legitimate traffic.

Key principle: Security group

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Add a network ACL rule to deny outbound traffic to the suspicious IP address.

    Why it's wrong here

    Adding a network ACL deny rule affects the entire subnet and is stateless, potentially impacting other instances and requiring explicit allow for return traffic. It does not immediately stop traffic for the specific instance without side effects.

  • Terminate the instance immediately.

    Why it's wrong here

    Terminating the instance would stop the traffic but also reduces application availability until a new instance is launched by Auto Scaling. This affects availability.

  • Update the security group attached to the instance to deny outbound traffic to the suspicious IP address.

    Why this is correct

    By removing the outbound allow rule for the suspicious IP from the security group, traffic is implicitly denied. Security groups are stateful and only support allow rules; to block traffic, you remove the allow rule.

    Clue confirmation

    The clue word "immediately / without restart" in the question point toward this answer.

    Related concept

    Security group

  • Detach the instance from the Auto Scaling group.

    Why it's wrong here

    Detaching the instance from the Auto Scaling group does not stop the traffic; the instance continues running and sending traffic to the suspicious IP. It also affects scaling management.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap is that candidates often assume security groups support explicit deny rules, when in fact they only allow rules. To block traffic, you must remove the corresponding allow rule rather than adding a deny rule. Additionally, network ACLs (Option A) support deny rules but are stateless and affect the entire subnet, potentially impacting availability.

Detailed technical explanation

How to think about this question

Security groups are stateful, meaning that if you allow inbound traffic, the outbound response is automatically allowed regardless of outbound rules; however, outbound rules can be used to explicitly deny traffic to specific IPs by not including them in allowed destinations. Under the hood, security group rules are implemented as iptables or similar firewall rules on the EC2 hypervisor, and changes take effect immediately without requiring instance reboot. In a real-world scenario, this approach is critical for incident response where you need to isolate a compromised instance while preserving its role in the Auto Scaling group for forensic analysis or gradual remediation.

KKey Concepts to Remember

  • Security group
  • Network ACL
  • Auto Scaling group

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Security group

Real-world example

How this comes up in practice

An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.

Visual reference

Source Router + ACL permit 10.0.0.0/8 deny any Server 10.0.0.5 ✓ 192.168.1.1 ✗ dropped ACLs evaluate top-down; first match wins — implicit deny all at end

What to study next

Got this wrong? Here's your next step.

Review security group, then practise related SCS-C02 questions on the same topic to reinforce the concept.

Related practice questions

Related SCS-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SCS-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SCS-C02 question test?

Infrastructure Security — This question tests Infrastructure Security — Security group.

What is the correct answer to this question?

The correct answer is: Update the security group attached to the instance to deny outbound traffic to the suspicious IP address. — Option C is correct because modifying the security group's outbound rules to remove the rule that allows traffic to the suspicious IP address effectively blocks the traffic at the instance level without terminating the instance. Security groups are stateful and allow-only; they do not support explicit deny rules. By removing the allow rule, the traffic is implicitly denied. This approach maintains application availability because the instance remains in the Auto Scaling group and continues to serve legitimate traffic.

What should I do if I get this SCS-C02 question wrong?

Review security group, then practise related SCS-C02 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "immediately / without restart". Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

What is the key concept behind this question?

Security group

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SCS-C02 practice questions

Last reviewed: Jul 4, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SCS-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SCS-C02 exam.