A company is planning on deploying a newly built application on AWS in a default VPC. The…

Question

A company is planning on deploying a newly built application on AWS in a default VPC. The application will consist of a web layer and database layer. The web server was created in public subnets, and the MySQL database was created in private subnets. All subnets are created with the default network ACL settings, and the default security group in the VPC will be replaced with new custom security groups.
The following are the key requirements:
✑ The web servers must be accessible only to users on an SSL connection.
✑ The database should be accessible to the web layer, which is created in a public subnet only.
✑ All traffic to and from the IP range 182.20.0.0/16 subnet should be blocked.
Which combination of steps meets these requirements? (Choose two.)

Accepted Answer

Correct answer: B, D. B. Create a database server security group with an inbound rule for MySQL port 3306 and specify the source as a web server security group. — D. Create a web server security group with an inbound rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0). Create network ACL inbound and outbound deny rules for IP range 182.20.0.0/16. — Security groups are stateful and do not support explicit deny rules, meaning the requirement to block the 182.20.0.0/16 subnet must be implemented using both inbound and outbound deny rules in a Network ACL (NACL), making option D correct. To restrict database access exclusively to the web layer, the database security group should reference the web server's security group as its source, which makes option B correct. Option A is insecure, while options C and E fail to correctly configure the stateless NACL rules required to block traffic in both directions.

AWS Certified Solutions Architect – Associate (SAA-C02) — Question 482

Answer options

Correct answer: B, D

Explanation