AWS Certified Solutions Architect – Associate (SAA-C03) — Question 1012

A company's software development team needs an Amazon RDS Multi-AZ cluster. The RDS cluster will serve as a backend for a desktop client that is deployed on premises. The desktop client requires direct connectivity to the RDS cluster.

The company must give the development team the ability to connect to the cluster by using the client when the team is in the office.

Which solution provides the required connectivity MOST securely?

Answer options

• A. Create a VPC and two public subnets. Create the RDS cluster in the public subnets. Use AWS Site-to-Site VPN with a customer gateway in the company's office.
• B. Create a VPC and two private subnets. Create the RDS cluster in the private subnets. Use AWS Site-to-Site VPN with a customer gateway in the company's office.
• C. Create a VPC and two private subnets. Create the RDS cluster in the private subnets. Use RDS security groups to allow the company's office IP ranges to access the cluster.
• D. Create a VPC and two public subnets. Create the RDS cluster in the public subnets. Create a cluster user for each developer. Use RDS security groups to allow the users to access the cluster.

Correct answer: B

Explanation

Option B is the most secure because placing the Amazon RDS cluster in private subnets prevents exposure to the public internet, while the AWS Site-to-Site VPN establishes a secure, encrypted connection from the on-premises office. Options A and D are less secure because they place the database in public subnets. Option C is incorrect because security groups alone cannot facilitate routing between an on-premises network and a private VPC subnet without a VPN or AWS Direct Connect.