ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 50 discussion

Exam question from Amazon's ANS-C00
Question #: 50
Topic #: 1
[All ANS-C00 Questions]

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

  • A. Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254
  • B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
  • C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
  • D. Outbound; Protocol tcp; Destination 169 .254.169.254; Destination port 443
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Globetrotter at Nov. 3, 2019, 11 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
guruguru
Highly Voted 3 years, 7 months ago
C. It is outbound, http request. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
upvoted 11 times
...
BillyC
Highly Voted 3 years, 8 months ago
C its correct!
upvoted 5 times
...
etarga
Most Recent 2 years, 4 months ago
Selected Answer: C
Correct Answer C
upvoted 1 times
...
PavanKushwah123
2 years, 5 months ago
Correct Answer C
upvoted 1 times
...
Uzik
3 years, 1 month ago
Yes..C is definitely correct
upvoted 1 times
...
ChauPhan
3 years, 7 months ago
C. Outbound + http port 80 To view all categories of instance metadata from within a running instance, use the following URI. http://169.254.169.254/latest/meta-data/
upvoted 2 times
...
Solo_Jordan
3 years, 8 months ago
Instance metadata is accessed FROM your EC2 instance. Think about it, if you accessed AN instance's metadata on the same IP 169.254.169.254 and it was sourced from externally (say another subnet or whatever you're thinking) how do you differentiate which instance you talking about? Think of 169.254.169.254 as a resource that all EC2 instances go to when they need data about themselves and the 169 resource knows which instance metadata to look at based on the the source IP of the instance asking. So ans is C
upvoted 3 times
...
Ajani
3 years, 8 months ago
I think it B, if host-based firewalls are statefull. then it wouldn't matter if all outbound traffic is block. The traffic is sourced from outside the instance (Instance metadata is data about your instance that you can use to configure or manage the running instance). I
upvoted 2 times
Ajani
3 years, 7 months ago
Sorry; Traffic is NOT sourced from outside the instance. Solo_Jordan is right about Link local address //Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html Looking at Iptable(Linux host-based firewall) as an example iptables -t filter -A INPUT # traffic destined for the localhost iptables -t filter -A FORWARD# traffic allowed through the localhost iptables -t filter -A OUTPUT # traffic outbound from localhost Adding an Inbound rule doesn't change this fact of the question ("on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic"), i change my choice to C.
upvoted 2 times
...
...
CloudTrail
3 years, 8 months ago
C is correct
upvoted 4 times
...
rene_s
3 years, 8 months ago
it is inbound, egress the target is your ip. I think it's B
upvoted 2 times
rene_s
3 years, 8 months ago
my mistake. it is outbound, the request get from the instance. Answer C
upvoted 8 times
...
...
Globetrotter
3 years, 8 months ago
Is it outbound or inbound ,
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel