The correct answer is that the instance is responding to an inbound SSH connection from the remote IP. This scenario hinges on how VPC Flow Logs capture bidirectional traffic from the network interface’s perspective: the source port of 22 (SSH) on an outbound log entry is the reply side of an inbound SSH session, because the instance’s SSH server sends return traffic using its own port 22 as the source. On the AWS Certified Security Specialty SCS-C02 exam, this question tests your ability to interpret VPC Flow Log entries by recognizing that the source and destination fields flip depending on the direction of the flow, and a common trap is assuming the source port always reflects the initiator’s ephemeral port. Remember, flow logs show each direction separately, so an outbound entry with a well-known server port like 22 or 443 usually indicates a reply. Memory tip: “Reply ports mirror the server—if you see 22 going out, SSH came in.”
SCS-C02 Security Logging and Monitoring Practice Question
This SCS-C02 practice question tests your understanding of security logging and monitoring. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
[2023-01-15 12:34:56] 10.0.1.5 203.0.113.5 22 443 6 10 1000 1234567890 1234567891 ACCEPT OK
Refer to the exhibit. A security engineer is analyzing a VPC Flow Log entry from an EC2 instance with private IP 10.0.1.5. The log shows an outbound connection to IP 203.0.113.5 on port 443 from source port 22. The connection was accepted. What is the most likely scenario?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The instance is responding to an inbound SSH connection from the remote IP.
Option C is correct. VPC Flow Logs record connections from the perspective of the network interface. The source IP and port are the instance's private IP and ephemeral port. Here, the source port is 22 (SSH), which is unusual for an outbound connection. This suggests the entry might be a reply to an inbound SSH connection (since flow logs capture both directions). The instance is likely replying to an SSH session initiated from the remote IP. Option A is wrong because port 22 is SSH, not HTTPS. Option B is wrong because the instance is the source in the log, not the destination. Option D is wrong because the remote IP is not private.
Key principle: NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
The instance is responding to an inbound SSH connection from the remote IP.
Why this is correct
Flow logs capture both directions; source port 22 indicates reply.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Static NAT maps one inside address to one outside address.
✗
The instance is connecting to a remote server on the internal network.
Why it's wrong here
Remote IP is public (203.0.113.5).
✗
The instance is receiving an SSH connection from the remote IP.
Why it's wrong here
Log shows outbound from instance.
✗
The instance is making an HTTPS request to a web server.
Common exam trap: NAT rules depend on direction and matching traffic
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Trap categories for this question
Command / output trap
Log shows outbound from instance.
Detailed technical explanation
How to think about this question
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
KKey Concepts to Remember
Static NAT maps one inside address to one outside address.
PAT allows many inside hosts to share one public address using ports.
Inside local and inside global describe the private and translated addresses.
NAT ACLs identify traffic for translation, not always security filtering.
TExam Day Tips
→Identify inside and outside interfaces first.
→Check whether the scenario needs static NAT, dynamic NAT or PAT.
→Do not confuse NAT matching ACLs with normal packet-filtering intent.
Key takeaway
NAT direction and interface roles matter as much as the IP address mapping. Inside/outside designation controls which traffic is translated.
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
What to study next
Got this wrong? Here's your next step.
Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related SCS-C02 NAT questions on configuration and troubleshooting.
Security Logging and Monitoring — This question tests Security Logging and Monitoring — Static NAT maps one inside address to one outside address..
What is the correct answer to this question?
The correct answer is: The instance is responding to an inbound SSH connection from the remote IP. — Option C is correct. VPC Flow Logs record connections from the perspective of the network interface. The source IP and port are the instance's private IP and ephemeral port. Here, the source port is 22 (SSH), which is unusual for an outbound connection. This suggests the entry might be a reply to an inbound SSH connection (since flow logs capture both directions). The instance is likely replying to an SSH session initiated from the remote IP. Option A is wrong because port 22 is SSH, not HTTPS. Option B is wrong because the instance is the source in the log, not the destination. Option D is wrong because the remote IP is not private.
What should I do if I get this SCS-C02 question wrong?
Review the four NAT address types (inside local, inside global, outside local, outside global), PAT port overload, and static vs dynamic NAT use cases. Then practise related SCS-C02 NAT questions on configuration and troubleshooting.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Static NAT maps one inside address to one outside address.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Refer to the exhibit. This is a line from a VPC Flow Log. A security analyst notices that the log shows an ACCEPT record for a connection from 10.0.1.5 to 10.0.2.10 on port 443. However, the analyst expected the connection to be denied. Which field in the flow log record indicates that the connection was accepted?
hard
✓ A.The action field (ACCEPT)
B.The version field (2)
C.The protocol field (6)
D.The destination port field (443)
Why A: Option D is correct. The 11th field (ACCEPT) is the action field, which indicates whether the traffic was accepted or rejected. Option A is wrong because the version field (1st field) is 2. Option B is wrong because the protocol field (7th field) is 6 (TCP). Option C is wrong because the destination port (5th field) is 443.
Last reviewed: Jun 20, 2026
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SCS-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SCS-C02 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.