AWS Certified Security – Specialty — Question 118
A Security Architect has been asked to review an existing security architecture and identity why the application servers cannot successfully initiate a connection to the database servers. The following summary describes the architecture:
1. An Application Load Balancer, an internet gateway and a NAT gateway are configured in the pubic subnet.
2. Database, application, and web servers are configured on three different private subnets.
3. The VPC has two route tables: one for the public subnet and one for all other subnets. The route table for the public subnet has a 0.0.0.0/0 route to the internet gateway. The route table for all other subnets has a 0.0.0.0/0 route to the NAT gateway. All private subnets can route to each other.
4. Each subnet has a network ACL implemented that limits all inbound and outbound connectivity to only the required ports and protocols.
5. There are 3 Security Groups (SGs): database, application, and web. Each group limits all inbound and outbound connectivity to the minimum required.
Which of the following accurately reflects the access control mechanisms the Architect should verify?
Answer options
- A. Outbound SG configuration on database servers Inbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
- B. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound and outbound network ACL configuration on the database subnet Inbound and outbound network ACL configuration on the application server subnet
- C. Inbound and outbound SG configuration on database servers Inbound and outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
- D. Inbound SG configuration on database servers Outbound SG configuration on application servers Inbound network ACL configuration on the database subnet Outbound network ACL configuration on the application server subnet
Correct answer: B
Explanation
The correct answer is B because it highlights the necessary Security Group configurations for both the database and application servers, ensuring that the application servers can initiate outbound connections while allowing the database servers to accept inbound connections. The other options fail to correctly identify the required configurations, either by switching the directions of the security group checks or not addressing both inbound and outbound network ACLs properly.