Question 1,045 of 1,748
Infrastructure SecurityhardMultiple ChoiceObjective-mapped

Restrict EC2 Traffic to Only ALB Using Security Group Referencing

This SCS-C02 practice question tests your understanding of infrastructure security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company runs a critical application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team wants to ensure that only traffic from the ALB reaches the EC2 instances, and that instances cannot initiate outbound connections to the internet. Which combination of security group rules should be implemented? (Select TWO.)

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Inbound rule: Allow HTTP/HTTPS from the ALB's security group.

Option B is correct because referencing the ALB's security group as the source for inbound HTTP/HTTPS traffic ensures that only traffic that has passed through the ALB can reach the EC2 instances. This leverages security group chaining, where the ALB's security group acts as a trusted source, preventing direct internet access to the instances. Option D is correct because a deny-all outbound rule to 0.0.0.0/0 blocks all outbound internet connections, satisfying the requirement that instances cannot initiate outbound connections.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Inbound rule: Allow HTTP/HTTPS from 0.0.0.0/0.

    Why it's wrong here

    This would allow direct access to instances from the internet.

  • Inbound rule: Allow HTTP/HTTPS from the ALB's security group.

    Why this is correct

    This ensures only ALB traffic reaches the instances.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Outbound rule: Allow all traffic to the ALB's security group only.

    Why it's wrong here

    This does not prevent instances from reaching the internet via other routes (e.g., NAT gateway).

  • Outbound rule: Deny all traffic to 0.0.0.0/0.

    Why this is correct

    This prevents instances from initiating outbound internet connections.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Outbound rule: Allow all traffic to 0.0.0.0/0.

    Why it's wrong here

    This would allow instances to initiate outbound connections to the internet.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse stateful security group behavior with stateless network ACLs, mistakenly thinking that a deny-all outbound rule will block return traffic for inbound connections, or they incorrectly assume that allowing outbound traffic to the ALB's security group is sufficient to prevent internet access.

Detailed technical explanation

How to think about this question

Security groups are stateful, meaning that if an inbound rule allows traffic, the outbound return traffic is automatically permitted regardless of outbound rules. However, outbound rules control traffic initiated by the instance itself; a deny-all outbound rule (e.g., to 0.0.0.0/0) blocks any new outbound connections, while still allowing return traffic for inbound connections. In this scenario, the ALB's security group must have an outbound rule allowing traffic to the instance's security group, but the instance's outbound rule should be a deny-all to prevent internet egress. Under the hood, AWS evaluates security group rules in a stateless manner for outbound traffic, but statefulness applies to connection tracking.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SCS-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SCS-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SCS-C02 question test?

Infrastructure Security — This question tests Infrastructure Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Inbound rule: Allow HTTP/HTTPS from the ALB's security group. — Option B is correct because referencing the ALB's security group as the source for inbound HTTP/HTTPS traffic ensures that only traffic that has passed through the ALB can reach the EC2 instances. This leverages security group chaining, where the ALB's security group acts as a trusted source, preventing direct internet access to the instances. Option D is correct because a deny-all outbound rule to 0.0.0.0/0 blocks all outbound internet connections, satisfying the requirement that instances cannot initiate outbound connections.

What should I do if I get this SCS-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

3 more ways this is tested on SCS-C02

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company runs a web application on Amazon EC2 behind an Application Load Balancer (ALB). The security team wants to allow only traffic from the ALB to reach the EC2 instances. Which security group configuration should be used?

hard
  • A.Allow inbound traffic from the ALB's private IP addresses on the EC2 security group.
  • B.Allow inbound traffic from the VPC CIDR block on the EC2 security group.
  • C.Allow inbound traffic from the ALB's security group ID on the EC2 security group.
  • D.Allow inbound HTTP traffic from 0.0.0.0/0 on the EC2 security group.

Why C: Option C is correct because security groups can reference other security groups by ID. By setting an inbound rule on the EC2 security group that references the ALB's security group ID, only traffic originating from the ALB is allowed. This is the recommended approach as ALB private IP addresses are dynamic and can change, making IP-based rules (Option A) unreliable.

Variation 2. A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is configured to terminate SSL/TLS and forward traffic to the instances over HTTP. The security team wants to ensure that the instances only accept traffic from the ALB, not from any other source. How can this be achieved?

hard
  • A.Configure the instance security group to allow HTTP traffic only from the VPC CIDR block.
  • B.Configure the instance security group to allow HTTP traffic only from the ALB's security group.
  • C.Configure the network ACL on the instance's subnet to allow HTTP traffic only from the ALB's private IP address.
  • D.Configure the instance security group to allow HTTP traffic only from the subnet CIDR block where the ALB resides.

Why B: Option B is correct because referencing the ALB's security group in the instance security group rule allows traffic only from the ALB, regardless of the ALB's IP address changes. This leverages AWS security group referencing, which is a managed and scalable way to restrict traffic to a specific source security group. The ALB's security group acts as a logical identifier, ensuring that only traffic forwarded by the ALB reaches the instances.

Variation 3. A company is deploying a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The instances are in a private subnet. How should the security group for the EC2 instances be configured?

easy
  • A.Allow inbound HTTP/HTTPS from the internet gateway.
  • B.Allow inbound HTTP/HTTPS from the security group of the ALB.
  • C.Allow inbound HTTP/HTTPS from 0.0.0.0/0.
  • D.Allow inbound HTTP/HTTPS from the VPC CIDR.

Why B: The EC2 instances are in a private subnet and should only accept traffic from the ALB, not directly from the internet. By referencing the ALB's security group as the source, you ensure that only traffic that has passed through the ALB can reach the instances, maintaining a secure architecture. This follows the principle of least privilege and prevents bypassing the load balancer.

Keep practising

More SCS-C02 practice questions

Last reviewed: Jul 4, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SCS-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SCS-C02 exam.