AWS Certified Solutions Architect – Associate (SAA-C02) — Question 359

A solutions architect is developing a multiple-subnet VPC architecture. The solution will consist of six subnets in two Availability Zones. The subnets are defined as public, private and dedicated for databases. Only the Amazon EC2 instances running in the private subnets should be able to access a database.
Which solution meets these requirements?

Answer options

• A. Create a now route table that excludes the route to the public subnets' CIDR blocks. Associate the route table to the database subnets.
• B. Create a security group that denies ingress from the security group used by instances in the public subnets. Attach the security group to an Amazon RDS DB instance.
• C. Create a security group that allows ingress from the security group used by instances in the private subnets. Attach the security group to an Amazon RDS DB instance.
• D. Create a new peering connection between the public subnets and the private subnets. Create a different peering connection between the private subnets and the database subnets.

Correct answer: C

Explanation

Creating a database security group that references the security group of the private EC2 instances as the source for inbound traffic ensures that only those authorized instances can access the database. Security groups are stateful and deny all inbound traffic by default, meaning explicit 'deny' rules cannot be created, making option B incorrect. Furthermore, route tables and VPC peering connections are routing mechanisms rather than fine-grained access control systems, making options A and D incorrect for restricting instance-level access within the same VPC.