AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet. The web servers in the public subnet must be open to the internet on port 443. The Amazon RDS for MySQL DB instance in the database subnet must be accessible only to the web servers on port 3306.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306.

Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 3306.

Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.

Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306.

Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers’ security group on port 3306.

Explanation:

Explanation

Correct Answers: C and D

C: Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.

This allows internet traffic to reach the web servers on HTTPS port 443, meeting the requirement that web servers must be open to the internet on port 443.

D: Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306.

This is the best practice for securing database access. By referencing the web servers' security group ID instead of CIDR blocks, the rule automatically allows traffic from any instance associated with that security group, providing better security and flexibility.

Why other options are incorrect:

A: Network ACLs operate at the subnet level and are stateless. While you could use NACLs, they are not the primary security mechanism for this scenario. Security groups (stateful, instance-level) are the preferred method. Additionally, denying outbound traffic on port 3306 doesn't directly address the requirement of allowing only web servers to access the DB.

B: Using the public subnet CIDR block is less secure than referencing the security group. If IP addresses change or new instances are added, the CIDR-based rule might not work correctly. Security group references are more dynamic and secure.

E: Security groups are "allow-only" by default - they don't have explicit deny rules. All traffic is denied by default unless explicitly allowed. You cannot create explicit deny rules in security groups; you can only create allow rules.

Powered ByGPT-5.2

Comments

Loading comments...