AWS Certified Database – Specialty — Question 281

A company has a reporting application that runs on an Amazon EC2 instance in an isolated developer account on AWS. The application needs to retrieve data during non-peak company hours from an Amazon Aurora PostgreSQL database that runs in the company’s production account. The company's security team requires that access to production resources complies with AWS best security practices.

A database administrator needs to provide the reporting application with access to the production database. The company has already configured VPC peering between the production account and developer account. The company has also updated the route tables in both accounts with the necessary entries to correctly set up VPC peering.

What must the database administrator do to finish providing connectivity to the reporting application?

Answer options

• A. Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.
• B. Add an outbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.
• C. Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on all TCP ports. Add an inbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.
• D. Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on all TCP ports.

Correct answer: A

Explanation

To establish connectivity, the database security group needs an inbound rule to allow traffic from the developer VPC CIDR on the PostgreSQL port (5432), and the EC2 instance security group needs an outbound rule to allow traffic to the production VPC CIDR on the same port. Specifying port 5432 instead of all TCP ports follows the AWS security best practice of least privilege access. Other configurations either use incorrect traffic directions or open unnecessarily wide port ranges.