Bird
Raised Fist0
AWScloud~20 mins

Stateful behavior of security groups in AWS - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Security Group Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
How does a security group handle return traffic?
You have an EC2 instance with a security group allowing inbound TCP traffic on port 80. What happens to the response traffic from the instance back to the client?
AResponse traffic is allowed only if the inbound rule is set to allow all protocols.
BYou must create an outbound rule to allow response traffic on port 80.
CResponse traffic is blocked unless you add a rule for ephemeral ports.
DThe security group automatically allows the response traffic without an explicit outbound rule.
Attempts:
2 left
💡 Hint
Think about how stateful firewalls track connections.
service_behavior
intermediate
2:00remaining
Outbound traffic behavior with no outbound rules
An EC2 instance has a security group with no outbound rules defined. What is the behavior of outbound traffic from this instance?
AOutbound traffic is allowed only if inbound rules permit it.
BOutbound traffic is allowed only on port 22.
CAll outbound traffic is blocked because no outbound rules exist.
DAll outbound traffic is allowed by default.
Attempts:
2 left
💡 Hint
Consider the default behavior of security groups regarding outbound rules.
Architecture
advanced
3:00remaining
Designing a security group for a web server with database access
You have a web server in a public subnet and a database server in a private subnet. The web server needs to accept HTTP traffic from the internet and connect to the database on port 3306. Which security group configuration correctly supports this while following best practices?
AWeb server SG allows inbound HTTP from 0.0.0.0/0 and outbound MySQL to database SG; Database SG allows inbound MySQL from web server SG.
BWeb server SG allows inbound HTTP from database SG and outbound MySQL to 0.0.0.0/0; Database SG allows inbound MySQL from 0.0.0.0/0.
CWeb server SG allows inbound HTTP from 0.0.0.0/0 and inbound MySQL from database SG; Database SG allows inbound MySQL from web server SG.
DWeb server SG allows inbound HTTP from 0.0.0.0/0 and outbound MySQL to 0.0.0.0/0; Database SG allows inbound MySQL from web server SG.
Attempts:
2 left
💡 Hint
Think about restricting access to only necessary sources and destinations.
security
advanced
2:00remaining
Impact of removing inbound rules on existing connections
An EC2 instance has an active SSH session established through a security group rule allowing inbound TCP port 22. If you remove the inbound rule while the session is active, what happens to the SSH connection?
AThe SSH session immediately drops as the inbound rule is removed.
BThe SSH session remains active until closed by the client or server.
CThe SSH session remains active but no new inbound SSH connections are allowed.
DThe SSH session is paused until the inbound rule is added back.
Attempts:
2 left
💡 Hint
Consider how stateful security groups track existing connections.
Best Practice
expert
3:00remaining
Minimizing attack surface using security groups in a multi-tier application
You manage a multi-tier application with web, application, and database layers in separate subnets. To minimize the attack surface, which security group strategy is best?
AAllow inbound traffic only from the previous tier's security group and restrict all other inbound traffic.
BAllow inbound traffic from all subnets in the VPC to simplify connectivity.
CAllow inbound traffic from the internet to all tiers for flexibility.
DAllow inbound traffic only on port 22 from the internet to all tiers for management.
Attempts:
2 left
💡 Hint
Think about limiting access strictly between tiers.

Practice

(1/5)
1. What does it mean when we say AWS security groups are stateful?
easy
A. Return traffic is automatically allowed, even if no outbound rule exists
B. You must create separate rules for inbound and outbound traffic
C. Security groups remember user login sessions
D. They block all traffic by default without exceptions

Solution

  1. Step 1: Understand stateful behavior in security groups

    Stateful means the security group tracks connections and allows return traffic automatically.

  2. Step 2: Apply this to inbound and outbound rules

    If inbound traffic is allowed, the response outbound traffic is automatically allowed without explicit outbound rules.

  3. Final Answer:

    Return traffic is automatically allowed, even if no outbound rule exists -> Option A

  4. Quick Check:

    Stateful = automatic return traffic allowed [OK]
Hint: Remember: inbound allows return outbound automatically [OK]
Common Mistakes:
  • Thinking outbound rules must explicitly allow return traffic
  • Confusing stateful with session management
  • Assuming security groups block all traffic by default
2. Which of the following is the correct way to allow inbound HTTP traffic on port 80 in a security group?
easy
A. Inbound: TCP port 22 from 0.0.0.0/0
B. Outbound: TCP port 80 from 0.0.0.0/0
C. Inbound: UDP port 80 from 0.0.0.0/0
D. Inbound: TCP port 80 from 0.0.0.0/0

Solution

  1. Step 1: Identify the correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the direction and source

    Inbound rules control incoming traffic; source 0.0.0.0/0 means from anywhere.

  3. Final Answer:

    Inbound: TCP port 80 from 0.0.0.0/0 -> Option D

  4. Quick Check:

    HTTP inbound = TCP 80 inbound [OK]
Hint: Inbound TCP 80 for HTTP, outbound not needed [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Setting outbound instead of inbound rule
  • Using port 22 which is for SSH
3. If a security group allows inbound SSH (port 22) from a specific IP, what happens when the instance responds to that SSH request?
medium
A. The response is blocked unless an outbound rule allows port 22
B. The response is automatically allowed due to stateful behavior
C. The response is allowed only if a separate inbound rule exists
D. The response is blocked by default and requires a NAT gateway

Solution

  1. Step 1: Recall stateful nature of security groups

    Security groups track connections and allow return traffic automatically.

  2. Step 2: Apply to SSH inbound and response outbound

    Inbound SSH allowed means response outbound traffic is automatically allowed without extra rules.

  3. Final Answer:

    The response is automatically allowed due to stateful behavior -> Option B

  4. Quick Check:

    Inbound SSH allows automatic response outbound [OK]
Hint: Inbound allows return traffic automatically [OK]
Common Mistakes:
  • Thinking outbound rules must explicitly allow return traffic
  • Confusing inbound and outbound directions
  • Assuming NAT gateway is needed for return traffic
4. You created a security group with only an outbound rule allowing all traffic, but no inbound rules. You cannot connect to your instance via SSH. What is the likely problem?
medium
A. Inbound SSH traffic is blocked because no inbound rule allows port 22
B. Outbound rules block SSH response traffic
C. Security groups require both inbound and outbound rules for SSH
D. The instance must have a public IP to allow SSH

Solution

  1. Step 1: Analyze the security group rules

    Only outbound rules exist; no inbound rules allow SSH (port 22).

  2. Step 2: Understand inbound rules control incoming connections

    Without inbound port 22 allowed, SSH connection attempts are blocked.

  3. Final Answer:

    Inbound SSH traffic is blocked because no inbound rule allows port 22 -> Option A

  4. Quick Check:

    No inbound port 22 = no SSH access [OK]
Hint: Inbound rules must allow SSH for connection [OK]
Common Mistakes:
  • Assuming outbound rules control incoming SSH
  • Thinking both inbound and outbound rules are mandatory for SSH
  • Ignoring instance public IP requirement
5. You want to allow inbound HTTP traffic from anywhere and ensure your instance can respond properly. Which security group configuration achieves this with minimal rules?
hard
A. Allow inbound TCP port 80 and outbound TCP port 80 from 0.0.0.0/0
B. Allow inbound TCP port 80 from 0.0.0.0/0 and outbound all traffic
C. Allow inbound TCP port 80 from 0.0.0.0/0 only
D. Allow inbound all traffic and outbound all traffic

Solution

  1. Step 1: Recall stateful behavior of security groups

    Inbound rules allow return outbound traffic automatically without explicit outbound rules.

  2. Step 2: Apply minimal rule principle

    Allowing inbound TCP port 80 from anywhere is enough; no outbound rule needed for response.

  3. Final Answer:

    Allow inbound TCP port 80 from 0.0.0.0/0 only -> Option C

  4. Quick Check:

    Inbound HTTP alone allows response outbound [OK]
Hint: Only inbound HTTP needed; outbound auto allowed [OK]
Common Mistakes:
  • Adding unnecessary outbound rules for return traffic
  • Allowing all inbound traffic instead of just HTTP
  • Confusing outbound rules as mandatory for responses