AWS Certified Solutions Architect – Associate (SAA-C03) — Question 844

A solutions architect is designing a three-tier web application. The architecture consists of an internet-facing Application Load Balancer (ALB) and a web tier that is hosted on Amazon EC2 instances in private subnets. The application tier with the business logic runs on EC2 instances in private subnets. The database tier consists of Microsoft SQL Server that runs on EC2 instances in private subnets. Security is a high priority for the company.

Which combination of security group configurations should the solutions architect use? (Choose three.)

Answer options

• A. Configure the security group for the web tier to allow inbound HTTPS traffic from the security group for the ALB.
• B. Configure the security group for the web tier to allow outbound HTTPS traffic to 0.0.0.0/0.
• C. Configure the security group for the database tier to allow inbound Microsoft SQL Server traffic from the security group for the application tier.
• D. Configure the security group for the database tier to allow outbound HTTPS traffic and Microsoft SQL Server traffic to the security group for the web tier.
• E. Configure the security group for the application tier to allow inbound HTTPS traffic from the security group for the web tier.
• F. Configure the security group for the application tier to allow outbound HTTPS traffic and Microsoft SQL Server traffic to the security group for the web tier.

Correct answer: A, C, E

Explanation

To maintain a secure three-tier architecture, inbound traffic should be restricted at each tier to only accept requests from the tier directly above it. Because security groups are stateful, return traffic is automatically allowed, meaning only the inbound rules for Web (from ALB), App (from Web), and Database (from App) need to be explicitly configured. Outbound configurations to wider scopes or incorrect tiers are unnecessary and violate the principle of least privilege.