AWS Certified Security – Specialty — Question 346

A company is hosting a set of application, database, and web server instances in the AWS Cloud. Each set of instances has separate security groups. The company has properly defined the network ACLs. The company discovers an issue with the communication between the application and database instances.

Which set of steps should a security engineer take to troubleshoot the issue?

Answer options

• A. Check the inbound rules for the database security group. Check the outbound rules for the application security group.
• B. Check the outbound rules for the database security group. Check the inbound rules for the application security group.
• C. Check the inbound rules for the database security group. Check the inbound rules for the application security group.
• D. Check the outbound rules for the database security group. Check the inbound rules and the outbound rules for the application security group.

Correct answer: A

Explanation

AWS security groups are stateful, meaning that if an outbound request is allowed, the return traffic is automatically permitted. To establish communication from the application to the database, the application's security group must permit outbound traffic to the database, and the database's security group must permit inbound traffic from the application. Checking outbound rules on the database or inbound rules on the application is unnecessary because of this stateful behavior.