A company has two VPCs that are in the same AWS account. One VPC is located in the us-eas…

Question

A company has two VPCs that are in the same AWS account. One VPC is located in the us-east-1 Region, and the other VPC is located in the us-west-2 region. The VPCs have an active VPC peering connection with each other, and the route tables for each VPC are configured to route network traffic properly between each VPC. An Amazon Aurora DB instance exists in the VPC in us-east-1, and the DB instance’s security group controls access to the DB instance. An Auto Scaling group is running in the VPC in us-west-2. The Auto Scaling group is continually adding and removing Amazon EC2 instances because of fluctuations in the demand for capacity. Every EC2 instance that launches as part of the Auto Scaling group belongs to a security group that is specific to the Auto Scaling group. A security engineer needs to configure a solution that allows the EC2 instances to access the DB instance that is located in us-east-1. Which solution will meet these requirements with the LEAST amount of effort?

Accepted Answer

Correct answer: B. B. Add the subnets used by the Auto Scaling group of the VPC in us-west-2 to the DB instance’s security group, — Adding the CIDR blocks of the subnets used by the Auto Scaling group to the DB instance's security group allows network traffic from any dynamically launched EC2 instance in those subnets. Managing individual private IP addresses is operationally impractical because the Auto Scaling group frequently provisions and terminates instances. Referencing security groups across different AWS Regions in a VPC peering connection has historical and technical limitations, making the subnet-based CIDR approach the most reliable, low-effort solution.

AWS Certified Security – Specialty — Question 338

Answer options

Correct answer: B

Explanation