Question #1425
A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet. The web servers in the public subnet must be accessible from the internet on port 80. The Amazon RDS for PostgreSQL DB instance in the database subnet must be reachable only by the web servers on port 5432.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 5432.
Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 5432.
Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 80.
Create a security group for the DB instance. Add a rule to allow traffic from the web servers\u2019 security group on port 5432.
Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers\u2019 security group on port 5432.
Explanation
To meet the requirements:
- C is correct because the web servers' security group must allow inbound traffic on port 80 (HTTP) from the internet (0.0.0.0/0).
- D is correct because the database security group should allow inbound traffic on port 5432 (PostgreSQL) only from the web servers' security group, ensuring least privilege.
Why others are incorrect:
- A: Network ACLs are unnecessary here; security groups handle port-specific rules more effectively.
- B: Using the public subnet's CIDR is less secure than referencing the web servers' security group.
- E: Security groups default-deny inbound traffic; explicit deny rules are redundant.
Key Points:
1. Use security groups for instance-level traffic control.
2. Reference security groups (not IP ranges) for tighter security.
3. Security groups are stateful; no need to manage return traffic rules.
Answer
The correct answer is: {C,D}