Answer-first summary for fast verification
Answer: Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.
## Explanation **Correct Answer: A** **Why Option A is correct:** 1. **Web server security group**: Port 443 (HTTPS) needs to be open to the public internet (`0.0.0.0/0`) because customers have dynamic IP addresses and are globally distributed. Restricting to specific IP addresses would not work with dynamic IPs. 2. **Database security group**: Port 3306 (MySQL) should only allow traffic from the web server security group, not from the public internet. This follows the principle of least privilege and creates a secure architecture where the database is not directly exposed to the internet. **Why other options are incorrect:** **Option B**: Incorrect because customers have dynamic IP addresses, so specifying specific IP addresses would not work. The web servers need to be accessible from anywhere. **Option C**: Incorrect for two reasons: 1. Web servers cannot be restricted to specific customer IPs due to dynamic IPs 2. Database should NEVER be exposed directly to customer IP addresses or the public internet **Option D**: Incorrect because exposing the database (port 3306) to `0.0.0.0/0` would create a major security vulnerability by making the database publicly accessible. **Key Security Principles Applied:** - **Principle of Least Privilege**: Database only accessible from web servers - **Defense in Depth**: Multiple layers of security controls - **Secure Network Architecture**: Web tier public-facing, database tier private - **Dynamic IP Handling**: Using `0.0.0.0/0` for web tier accommodates customers with changing IP addresses **Best Practice**: Always keep databases in private subnets with security groups that only allow traffic from application servers, never from the public internet.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company wants to deploy a new public web application on AWS. The application includes a web server tier that uses Amazon EC2 instances. The application also includes a database tier that uses an Amazon RDS for MySQL DB instance.
The application must be secure and accessible for global customers that have dynamic IP addresses.
How should a solutions architect configure the security groups to meet these requirements?
A
Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.
B
Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.
C
Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the IP addresses of the customers.
D
Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from 0.0.0.0/0.