AWS Certified Solutions Architect – Professional (SAP-C02) — Question 84

A company has an application that runs on Amazon EC2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where the application needs to access an Amazon Aurora DB Cluster. The EC2 instances are all associated with the same security group. The DB cluster is associated with its own security group.

The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB Cluster.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Add an inbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the source over the default Aurora port.
• B. Add an outbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the destination over the default Aurora port.
• C. Add an inbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the source over the default Aurora port.
• D. Add an outbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the destination over the default Aurora port.
• E. Add an outbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the destination over the ephemeral ports.

Correct answer: B, C

Explanation

The correct answer is B and C. Option B allows the EC2 instances to initiate connections to the DB cluster by permitting outbound traffic to the DB cluster's security group. Option C ensures that the DB cluster can accept inbound traffic from the EC2 instances, allowing the application to interact with the database. The other options either do not provide the necessary access or are incorrectly configured for the intended communication flow.