Configure Security Group for EC2 Instances Hosting a Web Application
Question
You work as an architect for a company.
An application is going to be deployed on a set of EC2 instances in a VPC.
The Instances will be hosting a web application.
You need to design the security group to ensure that users have the ability to connect from the Internet via HTTPS.
Which of the following needs to be configured for the security group?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
The AWS Documentation mentions the following.
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
When you launch an instance in a VPC, you can assign five security groups to the instance.
Security groups act at the instance level, not the subnet level.
Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups.
If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.AWS Security groups are stateful.
It means that you do not need to open the outbound for responses - open only inbound for requests.
If you think your instances will be sending requests to certain IPs (for example: to upgrade/install a package), then you need to open the IP/port for that request.
By default, it is open for all traffic.
Option B is incorrect since security groups are stateful.
You don't need to define the rule for outbound traffic.
Options C and D are incorrect since you need to ensure access for HTTPS.
Hence you should not configure rules for port 80.
For more information on security groups, please visit the below URL-
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.htmlTo allow users to connect to the web application hosted on EC2 instances via HTTPS from the internet, you need to allow inbound traffic on port 443 (which is the default port for HTTPS) in the security group that is associated with the EC2 instances. Therefore, the correct answer is A: Allow Inbound access on port 443 for 0.0.0.0/0.
Explanation of each option: A. Allow Inbound access on port 443 for 0.0.0.0/0 - This option is the correct answer. It allows inbound traffic on port 443 (HTTPS) from any source IP address (0.0.0.0/0). B. Allow Outbound access on port 443 for 0.0.0.0/0 - This option allows outbound traffic on port 443 (HTTPS) to any destination IP address (0.0.0.0/0), but it does not allow inbound traffic. C. Allow Inbound access on port 80 for 0.0.0.0/0 - This option allows inbound traffic on port 80 (HTTP) from any source IP address (0.0.0.0/0), which is not what the question is asking for. The question specifically asks for HTTPS, which uses port 443. D. Allow Outbound access on port 80 for 0.0.0.0/0 - This option allows outbound traffic on port 80 (HTTP) to any destination IP address (0.0.0.0/0), but it does not allow inbound traffic.
It's important to note that while allowing inbound traffic on port 443 (HTTPS) is necessary to allow users to connect to the web application via HTTPS, it is not sufficient to fully secure the application. You should also consider implementing SSL/TLS certificates, using secure coding practices, and implementing other security measures to fully protect the web application.
