AWS Certified SysOps Administrator – Associate (legacy) — Question 327

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24.
The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp. and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the private subnet database security group (DBSecGrp)?

Answer options

• A. Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp)
• B. Allow Inbound on port 3306 from source 20.0.0.0/16
• C. Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp)
• D. Allow Outbound on port 80 for Destination NAT Instance IP

Correct answer: A

Explanation

To allow the web server to communicate with the database, the database security group (DBSecGrp) must permit inbound traffic on port 3306 specifically from the web server's security group (WebSecGrp) as the source. Opening port 3306 to the entire VPC CIDR (20.0.0.0/16) violates the principle of least privilege, while outbound rules are not required on DBSecGrp to return the traffic since security groups are stateful.