AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A solutions architect is creating a new VPC design. There are two public subnets for the load balancer, two private subnets for web servers, and two private subnets for MySQL. The web servers use only HTTPS. The solutions architect has already created a security group for the load balancer allowing port 443 from 0.0.0.0/0. Company policy requires that each resource has the least access required to still be able to perform its tasks.

Which additional configuration strategy should the solutions architect use to meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create a security group for the web servers and allow port 443 from 0.0.0.0/0. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.

Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.

Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.

Create a network ACL for the web servers and allow port 443 from the load balancer. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.

Explanation:

Explanation

Correct Answer: C

Why Option C is correct:

Least Privilege Principle: The company policy requires "least access required." Web servers should only accept HTTPS traffic from the load balancer, not from the entire internet (0.0.0.0/0).
Security Groups vs Network ACLs: Security groups operate at the instance level and are stateful, while Network ACLs operate at the subnet level and are stateless. For instance-level security, security groups are more appropriate.
Architecture Design:
- Load balancer security group already allows port 443 from internet
- Web servers should only allow port 443 from the load balancer's security group
- MySQL servers should only allow port 3306 from the web servers' security group

Why other options are incorrect:

Option A: Allows web servers to accept HTTPS from the entire internet (0.0.0.0/0), violating the least privilege principle.
Option B: Uses Network ACLs instead of security groups. Network ACLs are subnet-level and stateless, making them less granular and more complex to manage for instance-level security.
Option D: Uses Network ACLs instead of security groups, and while it restricts web server access to the load balancer, Network ACLs are not the best tool for this specific requirement.

Key AWS Concepts:

Security Groups: Stateful, instance-level firewall
Network ACLs: Stateless, subnet-level firewall
Least Privilege: Grant only necessary permissions
Security Group Referencing: Can reference other security groups (e.g., allow from load balancer SG to web server SG)

This configuration ensures that web servers are only accessible via the load balancer, and MySQL servers are only accessible from web servers, following the principle of least privilege.

Powered ByGPT-5.2

Comments

Loading comments...