AWS Certified Solutions Architect – Associate (SAA-C03) — Question 382

A company wants to deploy a new public web application on AWS. The application includes a web server tier that uses Amazon EC2 instances. The application also includes a database tier that uses an Amazon RDS for MySQL DB instance.

The application must be secure and accessible for global customers that have dynamic IP addresses.

How should a solutions architect configure the security groups to meet these requirements?

Answer options

• A. Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.
• B. Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.
• C. Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the IP addresses of the customers.
• D. Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from 0.0.0.0/0.

Correct answer: A

Explanation

Because global customers have dynamic IP addresses, the web servers must accept HTTPS traffic (port 443) from any source (0.0.0.0/0). To secure the database tier, the Amazon RDS for MySQL DB instance should only accept inbound connections on port 3306 from the security group of the web servers rather than the entire internet. Restricting the web tier to dynamic client IPs or exposing the database publicly would violate the application's availability and security requirements.