AWS Certified Database – Specialty — Question 19

A media company is using Amazon RDS for PostgreSQL to store user data. The RDS DB instance currently has a publicly accessible setting enabled and is hosted in a public subnet. Following a recent AWS Well-Architected Framework review, a Database Specialist was given new security requirements.
✑ Only certain on-premises corporate network IPs should connect to the DB instance.
✑ Connectivity is allowed from the corporate network only.
Which combination of steps does the Database Specialist need to take to meet these new requirements? (Choose three.)

Answer options

• A. Modify the pg_hba.conf file. Add the required corporate network IPs and remove the unwanted IPs.
• B. Modify the associated security group. Add the required corporate network IPs and remove the unwanted IPs.
• C. Move the DB instance to a private subnet using AWS DMS.
• D. Enable VPC peering between the application host running on the corporate network and the VPC associated with the DB instance.
• E. Disable the publicly accessible setting.
• F. Connect to the DB instance using private IPs and a VPN.

Correct answer: B, E, F

Explanation

The correct steps are to modify the security group to allow only the specified corporate IPs, disable the publicly accessible setting to restrict access, and connect via private IPs using a VPN for secure communication. The other options either do not address the direct requirements or involve unnecessary actions such as modifying the pg_hba.conf file or moving the instance to a private subnet.