AWS Certified Solutions Architect - Associate / Question #1411 of 1019

Question #1411

A company is deploying a public-facing web application on AWS. The application's frontend runs on Amazon EC2 instances, and the backend uses an Amazon RDS for PostgreSQL database. The application must be secure and accessible to global users with dynamic IP addresses. How should the security groups be configured?

Configure the security group for the EC2 instances to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the RDS instance to allow inbound traffic on port 5432 from the security group of the EC2 instances.

Configure the security group for the EC2 instances to allow inbound traffic on port 443 from the customers' IP addresses. Configure the security group for the RDS instance to allow inbound traffic on port 5432 from the security group of the EC2 instances.

Explanation

The correct answer is A. Here's why:

- EC2 Security Group: The frontend must be accessible globally via HTTPS (port 443). Using 0.0.0.0/0 allows all IP addresses, accommodating dynamic user IPs. Options B and C incorrectly restrict EC2 to specific IPs, which isn't feasible for dynamic users.

- RDS Security Group: The backend database should only allow traffic from the EC2 instances. By referencing the EC2 security group (not IPs), RDS remains private and secure. Option D exposes RDS publicly (0.0.0.0/0), a critical security risk. Option C also incorrectly allows direct customer access to RDS.

Key Points:
1. Public-facing apps require EC2 to allow 0.0.0.0/0 on port 443.
2. RDS should only allow traffic from EC2 via security group references.
3. Never expose databases to the public internet.

Answer

The correct answer is: A