Circumventing inbound traffic rule by faking reply traffic

My question is about security groups/firewalls and protecting a virtual private cloud from the external world. Here is a description of VPC default policy for inbound/outbound traffic (on AWS):

Each security group by default contains an outbound rule that allows access to any IP address. It’s important to note that when an instance sends traffic out, the security group will allow reply traffic to reach the instance, regardless of what inbound rules are configured.

I was wondering if there exists an attack vector where a malicious user tries to circumvent the VPC’s inbound policy (i.e. block all traffic) by tricking it into thinking that the incoming traffic is a “reply” traffic? Does such attack have a name in the literature?

I can also think of a scenario where a target machine T (within a VPC) sends a request to some valid server V, but the malicious user M sends a malicious response to T (tricking it into believing that it comes from V) before T receives the actual response from V, thence circumventing T‘s inbound traffic policy.

What prevents a website from faking signing from a trusted certificate authority? [duplicate]

This question already has an answer here:

  • How does SSL/TLS work? 3 answers

I have a question about SSL (TLS) certificate signing authorities. How does this validation work? I know the browser has copies of (the public?) keys of the major signing authorities, but how does the comparison work when they receive encrypted data from a server and the server claims its certificate was signed by one of those signing authorities? What prevents the owner of the server sending the SSL data faking ownership of the certificate signing authority?