Answer-first summary for fast verification
Answer: Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.
## Explanation **Correct Answer: C** **Why Option C is correct:** 1. **Least Privilege Principle**: The company policy requires "least access required." Web servers should only accept HTTPS traffic from the load balancer, not from the entire internet (0.0.0.0/0). 2. **Security Groups vs Network ACLs**: Security groups operate at the instance level and are stateful, while Network ACLs operate at the subnet level and are stateless. For instance-level security, security groups are more appropriate. 3. **Architecture Design**: - Load balancer security group already allows port 443 from internet - Web servers should only allow port 443 from the load balancer's security group - MySQL servers should only allow port 3306 from the web servers' security group **Why other options are incorrect:** - **Option A**: Allows web servers to accept HTTPS from the entire internet (0.0.0.0/0), violating the least privilege principle. - **Option B**: Uses Network ACLs instead of security groups. Network ACLs are subnet-level and stateless, making them less granular and more complex to manage for instance-level security. - **Option D**: Uses Network ACLs instead of security groups, and while it restricts web server access to the load balancer, Network ACLs are not the best tool for this specific requirement. **Key AWS Concepts:** - **Security Groups**: Stateful, instance-level firewall - **Network ACLs**: Stateless, subnet-level firewall - **Least Privilege**: Grant only necessary permissions - **Security Group Referencing**: Can reference other security groups (e.g., allow from load balancer SG to web server SG) This configuration ensures that web servers are only accessible via the load balancer, and MySQL servers are only accessible from web servers, following the principle of least privilege.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A solutions architect is creating a new VPC design. There are two public subnets for the load balancer, two private subnets for web servers, and two private subnets for MySQL. The web servers use only HTTPS. The solutions architect has already created a security group for the load balancer allowing port 443 from 0.0.0.0/0. Company policy requires that each resource has the least access required to still be able to perform its tasks.
Which additional configuration strategy should the solutions architect use to meet these requirements?
A
Create a security group for the web servers and allow port 443 from 0.0.0.0/0. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.
B
Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.
C
Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.
D
Create a network ACL for the web servers and allow port 443 from the load balancer. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.