The correct combination of actions is:

1. Create a security group rule to allow inbound TCP traffic on port 443 from 0.0.0.0/0.
2. Update the network ACL to allow inbound TCP port 443 from 0.0.0.0/0 and outbound TCP ports 3276865535 to 0.0.0.0/0.

The security group acts as a virtual firewall for the EC2 instance. By default, security groups are stateful, so only an inbound rule is needed for HTTPS access (port 443). Allowing traffic from 0.0.0.0/0 means anyone can reach the server on that port.

Network ACLs are stateless, which means both inbound and outbound rules must be explicitly defined. To support a full TCP connection (like HTTPS), the inbound rule must allow traffic on port 443, and the outbound rule must allow ephemeral ports (typically TCP ports 3276865535) for the return traffic. This ensures that responses from the EC2 instance are not blocked.

Why the other options are incorrect:

Allowing TCP port 443 to destination 0.0.0.0/0 in a security group is not validsecurity group rules do not use 'destination' for inbound rules. This syntax is incorrect and not applicable to AWS security groups.

Updating the network ACL to allow all traffic on port 443 in both directions (with the same source and destination) is overly permissive and doesn't follow best practices. It also misses the need for ephemeral port ranges for return traffic in the outbound direction.

Creating a security group rule without updating the network ACL would not help if the network ACL is still blocking all traffic. Both layers of access control must be correctly configured.

Why this question matters: This tests your understanding of the difference between security groups and network ACLs, as well as how AWS handles stateful and stateless access controls. Its important to know how to configure both to ensure full, bidirectional connectivity for a public-facing EC2 instance.

Tip: Security groups are statefulnetwork ACLs are not. Always allow both inbound and outbound ports in ACLs for the traffic you want to support.

Full AWS Practitioner Certification Question