AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0., Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.

## Explanation **Correct Answers:** A and C **Detailed Analysis:** **A. Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.** - This is correct because the web tier is public-facing and needs to accept HTTPS (port 443) traffic from the internet. - The web server must be accessible to users over HTTPS for secure web traffic. - Using 0.0.0.0/0 allows traffic from any IP address on the internet. **C. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.** - This is correct because Microsoft SQL Server uses port 1433 by default. - The database tier should only accept connections from the web tier, not from the internet. - By referencing the web tier's security group (rather than IP addresses), this creates a dynamic security rule that automatically adjusts if instances in the web tier change. - This follows the principle of least privilege and enhances security. **Why other options are incorrect:** **B. Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.** - Incorrect because outbound rules control traffic leaving the instance, not entering it. - The web tier needs to make outbound connections (like to the database or external APIs), but this specific rule is poorly worded and unnecessary. - Security groups are stateful, so if inbound traffic on port 443 is allowed, the return traffic is automatically permitted. **D. Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier.** - Incorrect because: 1. The database doesn't need to initiate connections to the web tier on port 1433 (SQL Server port) 2. Port 443 (HTTPS) is typically not needed for database-to-web-tier communication 3. Security groups are stateful, so if the web tier initiates a connection to the database on port 1433, the return traffic is automatically allowed **E. Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier.** - Incorrect because the database tier only needs port 1433 (SQL Server), not port 443. - Port 443 is for HTTPS web traffic, which should terminate at the web tier, not pass through to the database. - Allowing unnecessary ports increases the attack surface. **Security Best Practices Applied:** 1. **Least Privilege:** Database only allows necessary port (1433) from specific source (web tier) 2. **Security Group Referencing:** Using security group IDs instead of IP addresses for dynamic, scalable security 3. **Tiered Architecture:** Public web tier accepts internet traffic; private database tier only accepts internal traffic 4. **Stateful Security Groups:** Return traffic is automatically handled, simplifying configuration

Quick Answer

Answer-first summary for fast verification

Comments (0)

No comments yet.

A solutions architect is designing a two-tier web application. The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets. The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet. Security is a high priority for the company.

How should security groups be configured in this situation? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.

Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.