AWS Certified Solutions Architect – Associate (SAA-C02) — Question 322

A company is reviewing a recent migration of a three-tier application to a VPC. The security team discovers that the principle of least privilege is not being applied to Amazon EC2 security group ingress and egress rules between the application tiers.
What should a solutions architect do to correct this issue?

Answer options

• A. Create security group rules using the instance ID as the source or destination.
• B. Create security group rules using the security group ID as the source or destination.
• C. Create security group rules using the VPC CIDR blocks as the source or destination.
• D. Create security group rules using the subnet CIDR blocks as the source or destination.

Correct answer: B

Explanation

Referencing a security group ID as the source or destination allows you to restrict traffic specifically to resources belonging to that security group, adhering to the principle of least privilege. Using VPC or subnet CIDR blocks is too permissive because any resource within those IP ranges would be allowed access. Referencing instance IDs directly in security group rules is not supported by AWS.