An application running on EC2 instances in the public subnet in a VPC must call an external web service via HTTPS (PORT 443). Which of the below options would minimize the exposure of the instances?
Choose 2 options.

Answer options:

A.A Network ACL with a rule that allows outbound traffic on port 443.
B.A Network ACL with a rule that allows outbound traffic on port 443 and inbound traffic in ephemeral ports.
C.A Network ACL with a rule that allows outbound traffic on port 443 and inbound traffic in port 443.
D.A Security Group with a rule that allows outbound traffic on port 443.
E.A security group with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports.

Answer – B and D
Since the traffic needs to flow outbound from the Instance to a web service on Port 443, the outbound rules on both the Network and Security Groups need to allow outbound traffic. The Incoming traffic should be allowed on ephemeral ports for the Operating System on the Instance to allow a connection to be established on any desired or available port.
Option A is invalid because this rule alone is not enough. You also need to ensure incoming traffic on ephemeral ports.
Option C is invalid because it needs to ensure incoming traffic on ephemeral ports and not only port 443.
Option E is invalid since you are allowing additional ports on Security groups that are not required.
For more information on VPC Security Groups, please visit the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html