AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A solutions architect is designing a two-tier web application. The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets. The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet. Security is a high priority for the company.

How should security groups be configured in this situation? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.

Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.

Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.

Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier.

Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier.

Explanation:

Explanation

Correct Answers: A and C

Detailed Analysis:

A. Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.

This is correct because the web tier is public-facing and needs to accept HTTPS (port 443) traffic from the internet.
The web server must be accessible to users over HTTPS for secure web traffic.
Using 0.0.0.0/0 allows traffic from any IP address on the internet.

C. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.

This is correct because Microsoft SQL Server uses port 1433 by default.
The database tier should only accept connections from the web tier, not from the internet.
By referencing the web tier's security group (rather than IP addresses), this creates a dynamic security rule that automatically adjusts if instances in the web tier change.
This follows the principle of least privilege and enhances security.

Why other options are incorrect:

B. Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.

Incorrect because outbound rules control traffic leaving the instance, not entering it.
The web tier needs to make outbound connections (like to the database or external APIs), but this specific rule is poorly worded and unnecessary.
Security groups are stateful, so if inbound traffic on port 443 is allowed, the return traffic is automatically permitted.

D. Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier.

Incorrect because:
1. The database doesn't need to initiate connections to the web tier on port 1433 (SQL Server port)
2. Port 443 (HTTPS) is typically not needed for database-to-web-tier communication
3. Security groups are stateful, so if the web tier initiates a connection to the database on port 1433, the return traffic is automatically allowed

E. Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier.

Incorrect because the database tier only needs port 1433 (SQL Server), not port 443.
Port 443 is for HTTPS web traffic, which should terminate at the web tier, not pass through to the database.
Allowing unnecessary ports increases the attack surface.

Security Best Practices Applied:

Least Privilege: Database only allows necessary port (1433) from specific source (web tier)
Security Group Referencing: Using security group IDs instead of IP addresses for dynamic, scalable security
Tiered Architecture: Public web tier accepts internet traffic; private database tier only accepts internal traffic
Stateful Security Groups: Return traffic is automatically handled, simplifying configuration

Powered ByGPT-5.2

Comments

Loading comments...