Bird
Raised Fist0
AWScloud~10 mins

Security group as virtual firewall in AWS - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to define a security group that allows inbound SSH traffic.

AWS
resource "aws_security_group" "example" {
  name        = "example-sg"
  description = "Allow SSH inbound"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "[1]"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
Drag options to blanks, or click blank then click option'
Atcp
Budp
Cicmp
Dall
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'udp' instead of 'tcp' for SSH protocol.
Using 'all' which opens all protocols, not secure.
2fill in blank
medium

Complete the code to allow inbound HTTP traffic on port 80.

AWS
resource "aws_security_group" "web_sg" {
  name        = "web-sg"
  description = "Allow HTTP inbound"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "[1]"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
Drag options to blanks, or click blank then click option'
Aicmp
Budp
Ctcp
Dall
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'udp' which is incorrect for HTTP.
Using 'icmp' which is for ping and network diagnostics.
3fill in blank
hard

Fix the error in the security group rule that tries to allow all inbound traffic.

AWS
resource "aws_security_group" "open_sg" {
  name        = "open-sg"
  description = "Allow all inbound traffic"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "[1]"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
Drag options to blanks, or click blank then click option'
Atcp
Ball
Cany
D-1
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'all' or 'any' which are invalid protocol values.
Using 'tcp' which only allows TCP traffic.
4fill in blank
hard

Fill both blanks to create a security group rule that allows inbound HTTPS traffic only from a specific IP range.

AWS
resource "aws_security_group" "secure_sg" {
  name        = "secure-sg"
  description = "Allow HTTPS inbound from office"

  ingress {
    from_port   = [1]
    to_port     = [2]
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/24"]
  }
}
Drag options to blanks, or click blank then click option'
A443
B80
C22
D8080
Attempts:
3 left
💡 Hint
Common Mistakes
Using port 80 which is for HTTP, not HTTPS.
Using different values for from_port and to_port.
5fill in blank
hard

Fill all three blanks to define a security group that allows inbound TCP traffic on port 3306 from a specific subnet.

AWS
resource "aws_security_group" "db_sg" {
  name        = [1]
  description = "Allow MySQL inbound from subnet"

  ingress {
    from_port   = [2]
    to_port     = [3]
    protocol    = "tcp"
    cidr_blocks = ["10.0.1.0/24"]
  }
}
Drag options to blanks, or click blank then click option'
A"db-security-group"
B3306
D"database-sg"
Attempts:
3 left
💡 Hint
Common Mistakes
Using port 22 or 80 instead of 3306.
Not quoting the security group name.

Practice

(1/5)
1. What is the primary purpose of a security group in AWS?
easy
A. To act as a virtual firewall controlling traffic to resources
B. To store data securely in the cloud
C. To manage user permissions and roles
D. To monitor resource usage and billing

Solution

  1. Step 1: Understand the role of security groups

    Security groups control network traffic to and from AWS resources, acting like firewalls.

  2. Step 2: Differentiate from other AWS services

    Security groups do not store data, manage permissions, or monitor billing; those are other services.

  3. Final Answer:

    To act as a virtual firewall controlling traffic to resources -> Option A

  4. Quick Check:

    Security group = virtual firewall [OK]
Hint: Security groups control traffic, not data or users [OK]
Common Mistakes:
  • Confusing security groups with IAM roles
  • Thinking security groups store data
  • Mixing security groups with billing tools
2. Which of the following is the correct way to allow incoming HTTP traffic on port 80 in a security group ingress rule?
easy
A. Protocol: UDP, Port Range: 80, Source: 0.0.0.0/0
B. Protocol: ICMP, Port Range: 80, Source: 0.0.0.0/0
C. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
D. Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0

Solution

  1. Step 1: Identify the correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the source IP range for open access

    0.0.0.0/0 means allow from any IP address.

  3. Final Answer:

    Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0 -> Option D

  4. Quick Check:

    HTTP = TCP port 80 [OK]
Hint: HTTP always uses TCP port 80 for ingress [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Using wrong port like 22 for HTTP
  • Confusing ICMP with TCP/UDP protocols
3. Given this security group ingress rule: Protocol: TCP, Port Range: 22, Source: 203.0.113.0/24, which of the following IP addresses is allowed to connect via SSH?
medium
A. 203.0.114.10
B. 203.0.113.45
C. 192.168.1.1
D. 0.0.0.0

Solution

  1. Step 1: Understand the CIDR range 203.0.113.0/24

    This range includes all IPs from 203.0.113.0 to 203.0.113.255.

  2. Step 2: Check which IP falls inside this range

    203.0.113.45 is inside the range; others are outside.

  3. Final Answer:

    203.0.113.45 -> Option B

  4. Quick Check:

    IP in 203.0.113.0/24 allowed [OK]
Hint: Check if IP fits CIDR range to allow access [OK]
Common Mistakes:
  • Assuming 203.0.114.x is inside 203.0.113.0/24
  • Confusing 0.0.0.0 with a valid IP
  • Not understanding CIDR notation
4. You created a security group with this ingress rule: Protocol: TCP, Port Range: 443, Source: 0.0.0.0/0. However, HTTPS traffic is still blocked. What is the most likely reason?
medium
A. The instance's network ACL blocks port 443
B. Security groups do not control HTTPS traffic
C. The source IP range 0.0.0.0/0 is invalid
D. Port 443 is only for HTTP, not HTTPS

Solution

  1. Step 1: Confirm security group rule allows HTTPS

    Protocol TCP, port 443, source 0.0.0.0/0 allows HTTPS traffic from anywhere.

  2. Step 2: Identify other network controls

    Network ACLs can block traffic even if security group allows it.

  3. Final Answer:

    The instance's network ACL blocks port 443 -> Option A

  4. Quick Check:

    Network ACL can override security group [OK]
Hint: Check network ACL if security group allows but traffic blocked [OK]
Common Mistakes:
  • Thinking security groups don't control HTTPS
  • Believing 0.0.0.0/0 is invalid
  • Confusing port 443 with HTTP port 80
5. You want to restrict SSH access to your EC2 instance so only your office IP 198.51.100.25 can connect. Which security group ingress rule should you configure?
hard
A. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
B. Protocol: UDP, Port Range: 22, Source: 198.51.100.25/32
C. Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32
D. Protocol: TCP, Port Range: 80, Source: 198.51.100.25/32

Solution

  1. Step 1: Identify correct protocol and port for SSH

    SSH uses TCP protocol on port 22.

  2. Step 2: Restrict source IP to single address

    Use CIDR /32 to specify exactly one IP address (198.51.100.25/32).

  3. Final Answer:

    Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32 -> Option C

  4. Quick Check:

    SSH restricted to one IP with /32 [OK]
Hint: Use /32 CIDR to allow single IP only [OK]
Common Mistakes:
  • Allowing all IPs with 0.0.0.0/0
  • Using UDP instead of TCP for SSH
  • Using wrong port like 80 for SSH