Question

An organization runs several EC2 instances inside a VPC using three subnets, one for Development, one for Test, and one for Production. The Security team has some concerns about the VPC configuration. It requires restricting communication across the EC2 instances using Security Groups.

Which of the following options is true for Security Groups related to the scenario?

A. You can change a Security Group associated with an instance if the instance is in the running state.

B. You can change a Security Group associated with an instance if the instance is in the hibernate state.

C. You can change a Security Group only if there are no instances associated to it.

D. The only Security Group you can change is the Default Security Group.

Answer 1

A. You can change a Security Group associated with an instance if the instance is in the running state.

Explanation : 

Option A is CORRECT because the AWS documentation mentions it in the section called “Changing an Instance’s Security Group” using the following sentence: “After you launch an instance into a VPC, you can change the security groups that are associated with the instance. You can change the security groups for an instance when the instance is in the running or stopped state.”

Option B is incorrect as You can change the security groups for an instance when the instance is in the running or stopped state, not hibernate state.

Option C is incorrect because there have to be some instances associated.

Option D is incorrect because other security groups can also be changed.

Reference: https://docs.aws.amazon.com/en_pv/vpc/latest/userguide/VPC_SecurityGroups.html