Bird
Raised Fist0
AWScloud~20 mins

Security group as virtual firewall in AWS - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Security Group Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding Security Group Inbound Rules

You have a security group with the following inbound rule:

Type: SSH
Protocol: TCP
Port Range: 22
Source: 0.0.0.0/0

What does this rule allow?

AAllows SSH access only from a specific IP address.
BBlocks all SSH access to instances associated with this security group.
CAllows SSH access only from within the same security group.
DAllows SSH access from any IP address to instances associated with this security group.
Attempts:
2 left
💡 Hint

Think about what 0.0.0.0/0 means in networking.

Configuration
intermediate
1:30remaining
Security Group Outbound Rule Behavior

You create a security group with no outbound rules. What will be the effect on instances using this security group?

AInstances cannot send any outbound traffic.
BInstances can send outbound traffic to any destination.
CInstances can send outbound traffic only to the same security group.
DInstances can send outbound traffic only on port 80.
Attempts:
2 left
💡 Hint

Remember the default behavior of outbound rules in AWS security groups.

Architecture
advanced
2:00remaining
Designing a Security Group for a Web Server

You want to create a security group for a web server that:

  • Allows HTTP traffic from anywhere
  • Allows SSH only from a specific office IP 203.0.113.5
  • Blocks all other traffic

Which inbound rule set correctly implements this?

AAllow TCP port 80 from 203.0.113.5/32 and Allow TCP port 22 from 0.0.0.0/0
BAllow TCP port 22 from 0.0.0.0/0 only
CAllow TCP port 80 from 0.0.0.0/0 and Allow TCP port 22 from 203.0.113.5/32
DAllow TCP port 80 from 0.0.0.0/0 only
Attempts:
2 left
💡 Hint

Think about which ports and sources are allowed for HTTP and SSH.

security
advanced
2:00remaining
Security Group Rule Priority and Conflicts

You have two inbound rules in a security group:

  • Allow TCP port 443 from 192.168.1.0/24
  • Deny TCP port 443 from 192.168.1.50/32

What will happen when a request comes from 192.168.1.50 on port 443?

AThe request is allowed because security groups do not support deny rules.
BThe request is denied because deny rules override allow rules.
CThe request is allowed only if it matches the first rule.
DThe request is denied because the more specific rule applies.
Attempts:
2 left
💡 Hint

Consider how AWS security groups handle deny rules.

service_behavior
expert
2:30remaining
Effect of Security Group Changes on Running Instances

You modify the inbound rules of a security group attached to running instances by removing a rule that allowed port 3306 (MySQL) from a specific IP range.

What happens immediately after this change?

AThe instances immediately block new inbound MySQL connections from that IP range.
BExisting MySQL connections from that IP range remain active, but new connections are blocked.
CThe instances must be restarted for the rule change to take effect.
DThe rule change has no effect until the security group is detached and reattached.
Attempts:
2 left
💡 Hint

Think about how security groups apply changes to network traffic.

Practice

(1/5)
1. What is the primary purpose of a security group in AWS?
easy
A. To act as a virtual firewall controlling traffic to resources
B. To store data securely in the cloud
C. To manage user permissions and roles
D. To monitor resource usage and billing

Solution

  1. Step 1: Understand the role of security groups

    Security groups control network traffic to and from AWS resources, acting like firewalls.

  2. Step 2: Differentiate from other AWS services

    Security groups do not store data, manage permissions, or monitor billing; those are other services.

  3. Final Answer:

    To act as a virtual firewall controlling traffic to resources -> Option A

  4. Quick Check:

    Security group = virtual firewall [OK]
Hint: Security groups control traffic, not data or users [OK]
Common Mistakes:
  • Confusing security groups with IAM roles
  • Thinking security groups store data
  • Mixing security groups with billing tools
2. Which of the following is the correct way to allow incoming HTTP traffic on port 80 in a security group ingress rule?
easy
A. Protocol: UDP, Port Range: 80, Source: 0.0.0.0/0
B. Protocol: ICMP, Port Range: 80, Source: 0.0.0.0/0
C. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
D. Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0

Solution

  1. Step 1: Identify the correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the source IP range for open access

    0.0.0.0/0 means allow from any IP address.

  3. Final Answer:

    Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0 -> Option D

  4. Quick Check:

    HTTP = TCP port 80 [OK]
Hint: HTTP always uses TCP port 80 for ingress [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Using wrong port like 22 for HTTP
  • Confusing ICMP with TCP/UDP protocols
3. Given this security group ingress rule: Protocol: TCP, Port Range: 22, Source: 203.0.113.0/24, which of the following IP addresses is allowed to connect via SSH?
medium
A. 203.0.114.10
B. 203.0.113.45
C. 192.168.1.1
D. 0.0.0.0

Solution

  1. Step 1: Understand the CIDR range 203.0.113.0/24

    This range includes all IPs from 203.0.113.0 to 203.0.113.255.

  2. Step 2: Check which IP falls inside this range

    203.0.113.45 is inside the range; others are outside.

  3. Final Answer:

    203.0.113.45 -> Option B

  4. Quick Check:

    IP in 203.0.113.0/24 allowed [OK]
Hint: Check if IP fits CIDR range to allow access [OK]
Common Mistakes:
  • Assuming 203.0.114.x is inside 203.0.113.0/24
  • Confusing 0.0.0.0 with a valid IP
  • Not understanding CIDR notation
4. You created a security group with this ingress rule: Protocol: TCP, Port Range: 443, Source: 0.0.0.0/0. However, HTTPS traffic is still blocked. What is the most likely reason?
medium
A. The instance's network ACL blocks port 443
B. Security groups do not control HTTPS traffic
C. The source IP range 0.0.0.0/0 is invalid
D. Port 443 is only for HTTP, not HTTPS

Solution

  1. Step 1: Confirm security group rule allows HTTPS

    Protocol TCP, port 443, source 0.0.0.0/0 allows HTTPS traffic from anywhere.

  2. Step 2: Identify other network controls

    Network ACLs can block traffic even if security group allows it.

  3. Final Answer:

    The instance's network ACL blocks port 443 -> Option A

  4. Quick Check:

    Network ACL can override security group [OK]
Hint: Check network ACL if security group allows but traffic blocked [OK]
Common Mistakes:
  • Thinking security groups don't control HTTPS
  • Believing 0.0.0.0/0 is invalid
  • Confusing port 443 with HTTP port 80
5. You want to restrict SSH access to your EC2 instance so only your office IP 198.51.100.25 can connect. Which security group ingress rule should you configure?
hard
A. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
B. Protocol: UDP, Port Range: 22, Source: 198.51.100.25/32
C. Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32
D. Protocol: TCP, Port Range: 80, Source: 198.51.100.25/32

Solution

  1. Step 1: Identify correct protocol and port for SSH

    SSH uses TCP protocol on port 22.

  2. Step 2: Restrict source IP to single address

    Use CIDR /32 to specify exactly one IP address (198.51.100.25/32).

  3. Final Answer:

    Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32 -> Option C

  4. Quick Check:

    SSH restricted to one IP with /32 [OK]
Hint: Use /32 CIDR to allow single IP only [OK]
Common Mistakes:
  • Allowing all IPs with 0.0.0.0/0
  • Using UDP instead of TCP for SSH
  • Using wrong port like 80 for SSH