AWS Certified Solutions Architect – Associate (SAA-C03) — Question 280

A company runs a web application that is deployed on Amazon EC2 instances in the private subnet of a VPC. An Application Load Balancer (ALB) that extends across the public subnets directs web traffic to the EC2 instances. The company wants to implement new security measures to restrict inbound traffic from the ALB to the EC2 instances while preventing access from any other source inside or outside the private subnet of the EC2 instances.

Which solution will meet these requirements?

Answer options

• A. Configure a route in a route table to direct traffic from the internet to the private IP addresses of the EC2 instances.
• B. Configure the security group for the EC2 instances to only allow traffic that comes from the security group for the ALB.
• C. Move the EC2 instances into the public subnet. Give the EC2 instances a set of Elastic IP addresses.
• D. Configure the security group for the ALB to allow any TCP traffic on any port.

Correct answer: B

Explanation

Configuring the security group of the EC2 instances to reference the security group of the ALB as the source ensures that only traffic forwarded by the load balancer is allowed. This implements the principle of least privilege and blocks all other traffic from inside or outside the VPC. Other options either fail to restrict access to the EC2 instances or unnecessarily expose them directly to the public internet.