AWS Certified Security – Specialty — Question 286

A company is running an Amazon RDS Multi-AZ DB instance inside a VPC. The DB instance is using two subnets that provide a default route to the internet through a NAT gateway.
The company also has application servers that run on Amazon EC2 instances that use the RDS database. The company has deployed these EC2 instances into two other private subnets within the same VPC. These EC2 instances use a default route to access the internet through the same NAT gateway. Each subnet in the VPC uses its own unique route table.
After a recent security audit, the company added a new security requirement. The DB instance must never be able to connect to the internet. A security engineer must make this change immediately without disrupting the application servers' network traffic.
How can the security engineer meet these requirements?

Answer options

• A. Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
• B. Configure the DB instance's inbound network ACL to deny traffic from the security group ID of the NAT gateway.
• C. Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
• D. Configure the route table of the NAT gateway to deny connections to the DB instance subnets.

Correct answer: C

Explanation

Because each subnet in the VPC is configured with its own unique route table, removing the default route (0.0.0.0/0) to the NAT gateway from the DB subnets' route tables will immediately isolate the DB instance from the internet. This target-specific change does not impact the EC2 application servers, which continue to use their own route tables to reach the NAT gateway. Other methods are incorrect because NAT gateways do not have route tables to filter traffic, network ACLs cannot reference security group IDs, and recreating the NAT gateway would cause unnecessary downtime for the application servers.