AWS Certified Solutions Architect – Associate (SAA-C03) — Question 220

A company is reviewing a recent migration of a three-tier application to a VPC. The security team discovers that the principle of least privilege is not being applied to Amazon EC2 security group ingress and egress rules between the application tiers.

What should a solutions architect do to correct this issue?

Answer options

• A. Create security group rules using the instance ID as the source or destination.
• B. Create security group rules using the security group ID as the source or destination.
• C. Create security group rules using the VPC CIDR blocks as the source or destination.
• D. Create security group rules using the subnet CIDR blocks as the source or destination.

Correct answer: B

Explanation

The correct answer is B because using the security group ID allows for more granular control over traffic between application tiers, adhering to the principle of least privilege. Option A is incorrect since instance IDs can change, while C and D are too broad and allow access to more resources than necessary, which violates the principle of least privilege.