AWS Certified Database – Specialty — Question 98

A company developed a new application that is deployed on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances use the security group named sg-application-servers. The company needs a database to store the data from the application and decides to use an Amazon RDS for MySQL DB instance. The DB instance is deployed in a private DB subnet.
What is the MOST restrictive configuration for the DB instance security group?

Answer options

• A. Only allow incoming traffic from the sg-application-servers security group on port 3306.
• B. Only allow incoming traffic from the sg-application-servers security group on port 443.
• C. Only allow incoming traffic from the subnet of the application servers on port 3306.
• D. Only allow incoming traffic from the subnet of the application servers on port 443.

Correct answer: A

Explanation

The correct answer is A because allowing incoming traffic only from the sg-application-servers security group on port 3306 is the most restrictive configuration that enables the application to communicate with the database. Options B, C, and D either open unnecessary ports (443) or do not restrict access as tightly as option A by allowing traffic from a broader subnet rather than specific security group.