An organization runs several EC2 instances inside a VPC using three subnets, one for Development, one for Test and one for Production.
The Security team has some concerns about the VPC configuration.
It requires to restrict the communication across the EC2 instances using Security Groups. Which of the following options is true for Security Groups?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: A.
Option A is CORRECT because the AWS documentation mentions it in the section called“Changing an Instance's Security Group” using the following sentence: “After you launch an instance into a VPC, you can change the security groups that are associated with the instance.
You can change the security groups for an instance when the instance is in the running or stopped state.”
Option B, C, D and E are INCORRECT as a consequence of A.Diagram: none.
References:
https://docs.aws.amazon.com/en_pv/vpc/latest/userguide/VPC_SecurityGroups.htmlThe correct answer is A: You can change a Security Group associated with an instance if the instance state is stopped or running.
Explanation:
A Security Group acts as a virtual firewall that controls the inbound and outbound traffic for one or more instances in a VPC. You can think of a security group as a set of rules that define what type of traffic is allowed or denied for an instance. Security Groups are stateful, which means that if you allow inbound traffic, the return traffic is automatically allowed, regardless of any rules in the outbound security group.
In this scenario, the Security team requires to restrict the communication across the EC2 instances using Security Groups. By default, all traffic is allowed across the subnets, and all instances within the same VPC can communicate with each other. Therefore, to restrict communication, you need to create and apply Security Groups to each EC2 instance.
Now, let's analyze the given options:
A. You can change a Security Group associated to an instance if the instance state is stopped or running.
This option is true. You can change the security group associated with an instance at any time, even if the instance is running. However, the changes to the security group will take effect immediately only if the instance is stopped, or the changes will take effect when the instance is restarted if the instance is running.
B. You can change a Security Group associated to an instance if the instance state is stopped but not if the instance state is running.
This option is incorrect. You can change the Security Group associated with an instance, whether it is running or stopped.
C. You can change a Security Group only if there are no instances associated with it.
This option is incorrect. You can change the Security Group rules at any time, even if instances are associated with it. However, the changes to the security group will apply to all instances associated with it.
D. The only Security Group you can change is the Default Security Group.
This option is incorrect. You can change any Security Group, including the Default Security Group, at any time.
E. None of the above.
This option is incorrect. Option A is correct, and therefore, it is the answer.