Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Bonus exam: Restrict SG rules

  • Bonus exam: Restrict SG rules

  • Guillermo Contreras

    December 24, 2023 at 9:32 am


    I completely disagree with the answer on question 24. The condition aws:SourceIP is only used to allow/deny an API call made from a particular public IP: There is no way to use it to compare it with the parameter send on the API to create/update SG rules. It is pretty clear to me that the person in charge of this question doesn’t have actual hands-on experience with AWS SCP or advanced features of IAM; I haven’t done the test, but I might guess that putting that SCP would actually make the API call unavailable for anyone. Please remove this question from the exam.

  • Carlo-TutorialsDojo

    January 8, 2024 at 6:08 pm

    Hello Guillermo,

    We acknowledge this mistake on our part. You’re right. The aws:SourceIp condition key pertains to the requester’s IP address, not the IP address being specified in the security group rule. Unfortunately, there’s no direct condition key for matching the contents of a security group rule to the one the request contains. One workaround to proactively prevent users from messing with inbound rules is by tagging the critical security groups and creating a Deny statement using the aws:ResourceTag. We’ll work on revising the scenario and options as well to rectify this oversight.

    Again, we apologize for any confusion that may have been caused.

    Please let us know if there’s anything you’d like us to clarify.


    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018