AWS Certified Solutions Architect – Associate (SAA-C02) — Question 677

A company wants to deploy a new public web application on AWS. The application includes a web server tier that uses Amazon EC2 instances. The application also includes a database tier that uses an Amazon RDS for MySQL DB instance.
The application must be secure and accessible for global customers that have dynamic IP addresses.
How should a solutions architect configure the security groups to meet these requirements?

Answer options

• A. Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.
• B. Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.
• C. Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the IP addresses of the customers.
• D. Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from 0.0.0 0/0.

Correct answer: A

Explanation

Since the global customers have dynamic IP addresses, the web tier security group must allow public inbound traffic on port 443 from anywhere (0.0.0.0/0). To secure the database tier, the Amazon RDS security group should restrict inbound traffic on port 3306 by referencing the security group of the web servers rather than allowing public access. This ensures that only the web servers can communicate with the database, maintaining a secure multi-tier architecture.