AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is reviewing a recent migration of a three-tier application to a VPC. The security team discovers that the principle of least privilege is not being applied to Amazon EC2 security group ingress and egress rules between the application tiers. What should a solutions architect do to correct this issue?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create security group rules using the instance ID as the source or destination.

Create security group rules using the security group ID as the source or destination.

Create security group rules using the VPC CIDR blocks as the source or destination.

Create security group rules using the subnet CIDR blocks as the source or destination.

Explanation:

Explanation

Correct Answer: B - Create security group rules using the security group ID as the source or destination.

Why this is correct:

Principle of Least Privilege: Using security group IDs as references allows you to specify exactly which security groups can communicate with each other, rather than allowing broad network ranges.
Security Group Referencing: When you reference another security group ID in your rules, you're allowing traffic only from instances associated with that specific security group, not from all instances in a subnet or VPC.
Dynamic and Scalable: This approach is dynamic - as instances are added or removed from the referenced security group, the rules automatically apply without needing updates.
Tier-based Architecture: For a three-tier application, you can create separate security groups for each tier (web, application, database) and reference them specifically.

Why other options are incorrect:

A. Instance ID:

Instance IDs are not used as sources/destinations in security group rules
This would require constant updates as instances are launched/terminated
Not a valid configuration option for security groups

C. VPC CIDR blocks:

Too broad - allows all instances in the entire VPC to communicate
Violates the principle of least privilege
Could allow unintended access between tiers

D. Subnet CIDR blocks:

Still too broad - allows all instances in the subnet to communicate
Doesn't restrict access to specific application tiers
Less secure than security group referencing

Best Practice Implementation:

For a three-tier application:

Create separate security groups for each tier (Web-SG, App-SG, DB-SG)
Configure Web-SG to allow inbound traffic from internet (port 80/443) and outbound to App-SG
Configure App-SG to allow inbound only from Web-SG and outbound only to DB-SG
Configure DB-SG to allow inbound only from App-SG

This ensures each tier can only communicate with the specific tiers it needs to, following the principle of least privilege.

Powered ByGPT-5.2

Comments

Loading comments...