AWS Certified Solutions Architect – Associate (SAA-C02) — Question 559

A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet. The web servers in the public subnet must be open to the internet on port 443. The Amazon RDS for MySQL DB instance in the database subnet must be accessible only to the web servers on port 3306.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306.
• B. Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 3306.
• C. Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.
• D. Create a security group for the DB instance. Add a rule to allow traffic from the web servers' security group on port 3306.
• E. Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers' security group on port 3306.

Correct answer: C, D

Explanation

To allow external HTTPS traffic to reach the web servers, a security group rule must permit inbound traffic from 0.0.0.0/0 on port 443. For the database tier, referencing the web servers' security group as the source on port 3306 ensures that only those specific EC2 instances can access the Amazon RDS for MySQL DB instance. Security groups are stateful and deny all traffic by default, making explicit deny rules or network ACL modifications unnecessary for this scenario.