Exam AWS-SysOps topic 1 question 655 discussion

The FlowLogs has been activated on SMTP vpc, not on ec2-instance one. That`s why the REJECT is happening on SMTP side. I would choose A

A you can use security groups to allow certain traffic between instances of the same SG Now D is incorrect because outbound traffic is already authorized because other instances can connect and SG statefull

Based on the provided VPC Flow Logs information, the connection between the EC2 instance (source IP 10.1.1.200) and the SMTP server (destination IP 10.100.1.10) is being rejected. This rejection indicates that the security group associated with the EC2 instance is blocking outbound communication on TCP port 25. To resolve the issue, you should update the security group associated with the EC2 instance to allow outbound communication on TCP port 25. This can be done by adding a rule to the security group that permits outbound traffic on port 25 to the IP range or specific IP address of the SMTP server.

Id choose A

I would go with A since the log is for the SMTP server and other instances can communicate correctly. however the protocol is wrong its not TCP its UDP (17)

A is correct. The logs on smtp server side show rejected traffic from instance, therefore traffic does reach smtp server subnet but gets rejected, answer is A.

A is the answer Traffic is being rejected so SG inbound should allow traffic to pass through

The fact that traffic is detected "but refused" in VPC flow logs mean that ec2 instance have SMTP client installed and that client SG allow outbound traffic over port 25. so C,D excluded .. - adding ec2 "smtp client" to same SG as server doesn't enable it to communicate with the server , a rule must be defined in SG to accept traffic from same SG over port 25 .. choice A taxonomy is very weird as it say " and ensure that is permitted to communicate over TCP port 25." does this mean adding inbound rule or outbound rule or what !!

A. Add the instance to the security group for the SMTP server and ensure that is permitted to communicate over TCP port 25.

AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be removed. Ans is D as the EC2 instance SG should explicitly have outbound rules to connect to port 25 (SMTP) https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/

I'll go with A

C - the flow shown is using UDP, not TCP The flow shows it is using protocol #17, which is UDP (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). SMTP traditionally uses TCP (protocol #6)

A. Add the instance to the security group for the SMTP server and ensure that is permitted to communicate over TCP port 25.

IT IS A

SG is stateful and allows outbound traffic of allowed inbound ports. This eliminates answer D and The only provable answer is A then.

The fact we see captured packet on SMTP_Server_ENI means that on the instance site port 25 (outbound direction) is permitted and packet has been successfully sent from the source but rejected (drop) from SMTP-Server. For me its ans A.

Answer: A (given the other options are wrong, not saying A is a perfect answer. think its worded badly) B: huh? C: huh? D: wrong - the EC2 instance has outbound TCP/25 already given the traffic reaches the network interface of the SMTP server, which then rejects it.