Answer-first summary for fast verification
Answer: Create security group rules using the security group ID as the source or destination.
## Explanation **Correct Answer: B - Create security group rules using the security group ID as the source or destination.** ### Why this is correct: 1. **Principle of Least Privilege**: Using security group IDs as references allows you to specify exactly which security groups can communicate with each other, rather than allowing broad network ranges. 2. **Security Group Referencing**: When you reference another security group ID in your rules, you're allowing traffic only from instances associated with that specific security group, not from all instances in a subnet or VPC. 3. **Dynamic and Scalable**: This approach is dynamic - as instances are added or removed from the referenced security group, the rules automatically apply without needing updates. 4. **Tier-based Architecture**: For a three-tier application, you can create separate security groups for each tier (web, application, database) and reference them specifically. ### Why other options are incorrect: **A. Instance ID**: - Instance IDs are not used as sources/destinations in security group rules - This would require constant updates as instances are launched/terminated - Not a valid configuration option for security groups **C. VPC CIDR blocks**: - Too broad - allows all instances in the entire VPC to communicate - Violates the principle of least privilege - Could allow unintended access between tiers **D. Subnet CIDR blocks**: - Still too broad - allows all instances in the subnet to communicate - Doesn't restrict access to specific application tiers - Less secure than security group referencing ### Best Practice Implementation: For a three-tier application: 1. Create separate security groups for each tier (Web-SG, App-SG, DB-SG) 2. Configure Web-SG to allow inbound traffic from internet (port 80/443) and outbound to App-SG 3. Configure App-SG to allow inbound only from Web-SG and outbound only to DB-SG 4. Configure DB-SG to allow inbound only from App-SG This ensures each tier can only communicate with the specific tiers it needs to, following the principle of least privilege.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is reviewing a recent migration of a three-tier application to a VPC. The security team discovers that the principle of least privilege is not being applied to Amazon EC2 security group ingress and egress rules between the application tiers. What should a solutions architect do to correct this issue?
A
Create security group rules using the instance ID as the source or destination.
B
Create security group rules using the security group ID as the source or destination.
C
Create security group rules using the VPC CIDR blocks as the source or destination.
D
Create security group rules using the subnet CIDR blocks as the source or destination.