Exactprep SOA-C03 Questions

Network ACLs are stateless, meaning both inbound and outbound rules must explicitly allow traffic. While inbound HTTP traffic (port 80) was allowed, the return traffic from the EC2 instance uses ephemeral ports (typically 1024–65535). If outbound rules do not allow this ephemeral port range, the response traffic is dropped, preventing the website from loading.

Security groups are stateful and automatically allow return traffic, but network ACLs do not. This commonly causes connectivity issues when custom ACLs are applied without matching outbound rules.

Option B is incorrect because security groups allow all outbound traffic by default. Option C is irrelevant. Option D is incorrect because only one network ACL can be associated with a subnet at a time.

Thus, the missing outbound ephemeral port rule in the network ACL is the root cause.

Amazon EC2 Instance Connect enables secure SSH access to EC2 instances without requiring a traditional SSH key pair. However, although authentication is handled through IAM and the Instance Connect endpoint, the underlying network requirements for SSH still apply.

For EC2 Instance Connect to function, the EC2 instance’s security group must allow inbound traffic on TCP port 22 from the network where the Instance Connect endpoint resides. In this case, both the endpoint and the EC2 instance are in the private subnet, so the security group must explicitly allow SSH traffic from that subnet or from the security group associated with the endpoint.

Allowing HTTPS traffic on port 443 does not enable SSH access. Systems Manager Session Manager is a separate access mechanism and does not resolve an EC2 Instance Connect failure. Recreating the instance with an SSH key pair is unnecessary because EC2 Instance Connect does not rely on key pairs.

Therefore, enabling inbound SSH traffic on port 22 from the private subnet resolves the connection issue.

User-defined tags must be explicitly activated as cost allocation tags in the AWS Billing and Cost Management console before they can be used in Cost Explorer. Simply applying tags to resources is not sufficient.

Once activated, cost allocation tags can take up to 24 hours to appear in Cost Explorer, but they will not appear at all if activation is not performed. The 30-day delay applies only to historical reporting after activation, not to visibility itself.

Cost and Usage Reports and Budgets are not prerequisites for Cost Explorer filtering.

Therefore, the issue occurs because the tags were not activated for cost allocation.

The PrivateDnsName attribute of an EC2 instance is automatically assigned by AWS at launch time and is a read-only property. CloudFormation does not allow users to specify this value manually.

Including PrivateDnsName in the EC2 instance properties causes validation to fail during stack creation. Outputs and Parameters sections are optional, and the VPC is implicitly defined through the subnet ID.

Therefore, attempting to set PrivateDnsName results in stack creation failure.