- A
Allow inbound traffic from the ALB's private IP addresses on the EC2 security group.
Why wrong: ALB IPs can change, making this unreliable.
- B
Allow inbound traffic from the VPC CIDR block on the EC2 security group.
Why wrong: Allows traffic from any resource in the VPC.
- C
Allow inbound traffic from the ALB's security group ID on the EC2 security group.
Security group ID reference ensures traffic only from ALB.
- D
Allow inbound HTTP traffic from 0.0.0.0/0 on the EC2 security group.
Why wrong: Allows traffic from anywhere, not just the ALB.
Quick Answer
The correct answer is to allow inbound traffic from the ALB’s security group ID on the EC2 security group. This works because AWS security groups support stateful, rule-based referencing by security group ID rather than by IP address, meaning the EC2 instance’s security group can be configured to accept traffic only from the ALB’s security group as the source. This approach is preferred over using CIDR blocks because the ALB’s IP addresses can change dynamically due to scaling or replacement, making a static IP rule brittle. On the AWS Certified Security Specialty SCS-C02 exam, this question tests your understanding of security group chaining and the principle of least privilege for network traffic. A common trap is assuming you must use the ALB’s IP range or a VPC CIDR, but the exam expects you to recognize that security group IDs are the correct, scalable method. Memory tip: think “group-to-group, not IP-to-group” — if you see a security group ID as a source, you’re on the right track.
SCS-C02 Infrastructure Security Practice Question
This SCS-C02 practice question tests your understanding of infrastructure security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The security team wants to allow only traffic from the ALB to reach the EC2 instances. Which security group configuration should be used?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Allow inbound traffic from the ALB's security group ID on the EC2 security group.
Option C is correct because security groups can reference each other by ID, allowing you to create a rule on the EC2 security group that permits inbound traffic only from the ALB's security group. This ensures that only traffic that has passed through the ALB can reach the EC2 instances, regardless of the ALB's IP addresses, which can change due to scaling or replacement.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Allow inbound traffic from the ALB's private IP addresses on the EC2 security group.
Why it's wrong here
ALB IPs can change, making this unreliable.
- ✗
Allow inbound traffic from the VPC CIDR block on the EC2 security group.
Why it's wrong here
Allows traffic from any resource in the VPC.
- ✓
Allow inbound traffic from the ALB's security group ID on the EC2 security group.
Why this is correct
Security group ID reference ensures traffic only from ALB.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Allow inbound HTTP traffic from 0.0.0.0/0 on the EC2 security group.
Why it's wrong here
Allows traffic from anywhere, not just the ALB.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume ALBs have fixed private IP addresses and choose Option A, not realizing that ALB IPs are dynamic and that security group referencing is the AWS-recommended method for this pattern.
Detailed technical explanation
How to think about this question
Under the hood, security group referencing works by evaluating the source security group's network interfaces; when the ALB's security group is specified as the source, the EC2 instance accepts traffic from any network interface associated with that security group (including ALB nodes). This is particularly useful in auto-scaling scenarios where ALB nodes are added or removed, as the security group rule automatically adapts without manual IP updates. Additionally, this approach supports cross-account ALB-to-EC2 communication when using VPC peering or Transit Gateway, as long as the security groups are in the same account or properly shared.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Infrastructure Security — study guide chapter
Learn the concepts, then practise the questions
- →
Infrastructure Security practice questions
Targeted practice on this topic area only
- →
All SCS-C02 questions
1,738 questions across all exam domains
- →
AWS Certified Security Specialty SCS-C02 study guide
Full concept coverage aligned to exam objectives
- →
SCS-C02 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SCS-C02 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Threat Detection and Incident Response practice questions
Practise SCS-C02 questions linked to Threat Detection and Incident Response.
Security Logging and Monitoring practice questions
Practise SCS-C02 questions linked to Security Logging and Monitoring.
Identity and Access Management practice questions
Practise SCS-C02 questions linked to Identity and Access Management.
Management and Security Governance practice questions
Practise SCS-C02 questions linked to Management and Security Governance.
Infrastructure Security practice questions
Practise SCS-C02 questions linked to Infrastructure Security.
Data Protection practice questions
Practise SCS-C02 questions linked to Data Protection.
SCS-C02 fundamentals practice questions
Practise SCS-C02 questions linked to SCS-C02 fundamentals.
SCS-C02 scenario practice questions
Practise SCS-C02 questions linked to SCS-C02 scenario.
SCS-C02 troubleshooting practice questions
Practise SCS-C02 questions linked to SCS-C02 troubleshooting.
Practice this exam
Start a free SCS-C02 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SCS-C02 question test?
Infrastructure Security — This question tests Infrastructure Security — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Allow inbound traffic from the ALB's security group ID on the EC2 security group. — Option C is correct because security groups can reference each other by ID, allowing you to create a rule on the EC2 security group that permits inbound traffic only from the ALB's security group. This ensures that only traffic that has passed through the ALB can reach the EC2 instances, regardless of the ALB's IP addresses, which can change due to scaling or replacement.
What should I do if I get this SCS-C02 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
3 more ways this is tested on SCS-C02
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that only traffic from the ALB reaches the EC2 instances, and that instances cannot initiate outbound connections to the internet. Which combination of security group rules should be implemented? (Select TWO.)
hard- A.Inbound rule: Allow HTTP/HTTPS from 0.0.0.0/0.
- ✓ B.Inbound rule: Allow HTTP/HTTPS from the ALB's security group.
- C.Outbound rule: Allow all traffic to the ALB's security group only.
- ✓ D.Outbound rule: Deny all traffic to 0.0.0.0/0.
- E.Outbound rule: Allow all traffic to 0.0.0.0/0.
Why B: Option A is correct because allowing inbound traffic from the ALB's security group ensures only ALB traffic reaches the instances. Option D is correct because blocking all outbound traffic to 0.0.0.0/0 prevents instances from initiating internet connections. Option B is wrong because allowing inbound from 0.0.0.0/0 would permit direct access to instances. Option C is wrong because allowing outbound to 0.0.0.0/0 would allow internet connections. Option E is wrong because allowing outbound only to the ALB does not prevent instances from reaching the internet via other paths.
Variation 2. A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is configured to terminate SSL/TLS and forward traffic to the instances over HTTP. The security team wants to ensure that the instances only accept traffic from the ALB, not from any other source. How can this be achieved?
hard- A.Configure the instance security group to allow HTTP traffic only from the VPC CIDR block.
- ✓ B.Configure the instance security group to allow HTTP traffic only from the ALB's security group.
- C.Configure the network ACL on the instance's subnet to allow HTTP traffic only from the ALB's private IP address.
- D.Configure the instance security group to allow HTTP traffic only from the subnet CIDR block where the ALB resides.
Why B: Option C is correct because using the ALB's security group as the source in the instance security group ensures traffic only from the ALB. Option A is wrong because using the VPC CIDR would allow traffic from any resource in the VPC. Option B is wrong because using the subnet CIDR would allow traffic from any instance in that subnet. Option D is wrong because using a network ACL would affect all instances in the subnet and cannot differentiate by source.
Variation 3. A company is deploying a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances are in a private subnet. How should the security group for the EC2 instances be configured?
easy- A.Allow inbound HTTP/HTTPS from the internet gateway.
- ✓ B.Allow inbound HTTP/HTTPS from the security group of the ALB.
- C.Allow inbound HTTP/HTTPS from 0.0.0.0/0.
- D.Allow inbound HTTP/HTTPS from the VPC CIDR.
Why B: Option A is correct because the security group should allow HTTP/S traffic from the ALB's security group, which is a best practice for least privilege. Option B is wrong because allowing all IPs exposes instances to direct internet traffic. Option C is wrong because the ALB is in a public subnet, not the VPC CIDR. Option D is wrong because the instances are in a private subnet and should not receive traffic from the internet.
Last reviewed: Jun 24, 2026
This SCS-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SCS-C02 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.