Allow inbound 443 from 0.0.0.0/0 and allow inbound 22 from 10.32.0.0/12 is correct because it exposes the website to the public on HTTPS while restricting SSH access to the company network that is reachable via the VPN.

The rule Allow inbound 443 from 0.0.0.0/0 and allow inbound 22 from 10.32.0.0/12 permits TCP 443 from any internet client so the site is reachable over HTTPS and it restricts TCP 22 to the 10.32.0.0/12 CIDR so only administrators on the corporate network can SSH into the instance. Security groups are stateful so once an inbound connection is allowed return traffic is automatically permitted.

Allow inbound 443 and 22 from the VPC CIDR 10.0.0.0/16 is wrong because it confines access to the VPC range and prevents internet users from reaching the public HTTPS site.

Allow inbound 22 from 0.0.0.0/0 and allow inbound 443 from 10.32.0.0/12 is wrong because it opens SSH to the entire internet and limits HTTPS to the corporate CIDR which blocks public access to the website.

Allow inbound 443 and 22 from both 0.0.0.0/0 and 10.32.0.0/12 is wrong because it still permits SSH from anywhere and fails the requirement to restrict administrative SSH to the company network.

Full AWS Practitioner Certification Question