AWS Certified Solutions Architect – Associate (SAA-C03) — Question 395

A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet. The web servers in the public subnet must be open to the internet on port 443. The Amazon RDS for MySQL DB instance in the database subnet must be accessible only to the web servers on port 3306.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306.
• B. Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 3306.
• C. Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.
• D. Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306.
• E. Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers’ security group on port 3306.

Correct answer: C, D

Explanation

To allow external internet clients to access the web servers, a security group for the web servers must permit inbound HTTPS traffic (port 443) from any source (0.0.0.0/0). To securely restrict database access, the database's security group should allow inbound traffic on port 3306 specifically from the web servers' security group rather than a broad CIDR block. Security groups are stateful and deny all traffic by default, meaning explicit deny rules (as in Option E) are not used.