AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A solutions architect is developing a VPC architecture that includes multiple subnets. The architecture will host applications that use Amazon EC2 instances and Amazon RDS DB instances. The architecture consists of six subnets in two Availability Zones. Each Availability Zone includes a public subnet, a private subnet, and a dedicated subnet for databases. Only EC2 instances that run in the private subnets can have access to the RDS databases.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Create a new route table that excludes the route to the public subnets' CIDR blocks. Associate the route table with the database subnets.
B
Create a security group that denies inbound traffic from the security group that is assigned to instances in the public subnets. Attach the security group to the DB instances.
C
Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances.
D
Create a new peering connection between the public subnets and the private subnets. Create a different peering connection between the private subnets and the database subnets.
Explanation:
Explanation
Correct Answer: C
Why Option C is correct:
- Security Group Approach: Security groups in AWS are stateful and act as virtual firewalls for EC2 instances and RDS instances. They control inbound and outbound traffic at the instance level.
- Principle of Least Privilege: The requirement states that only EC2 instances in private subnets should access RDS databases. By creating a security group that allows inbound traffic specifically from the security group assigned to instances in private subnets, you implement the principle of least privilege.
- Security Group Referencing: AWS security groups can reference other security groups, which is more secure than using IP addresses because it automatically adapts when instances are launched or terminated.
- Simple and Effective: This solution is straightforward, maintainable, and follows AWS best practices for securing database access.
Why Other Options are Incorrect:
Option A: Route tables control traffic between subnets at the network level, not at the instance level. Excluding routes to public subnets doesn't prevent instances in public subnets from accessing database instances if they have the right security group rules. Route tables are for routing decisions, not for fine-grained access control.
Option B: Security groups are "allow" by default, not "deny". You cannot create explicit deny rules in security groups. Security groups only support allow rules, and all traffic is denied by default unless explicitly allowed.
Option D: VPC peering connections are for connecting different VPCs, not for controlling access between subnets within the same VPC. All subnets within a VPC can communicate with each other by default unless restricted by security groups or network ACLs. Peering connections would be unnecessary and complex for this scenario.
Key AWS Concepts:
- Security Groups: Instance-level firewall (stateful)
- Network ACLs: Subnet-level firewall (stateless)
- Route Tables: Control traffic routing between subnets and to external networks
- VPC Peering: Connects two VPCs for private communication
Best Practice: Always use security groups for instance-level access control within a VPC, and reference security groups rather than IP addresses for better security and maintainability.
Comments
Loading comments...