How should a solutions architect configure the security groups to meet these requirements?

By:
On:
In: SAA-C03
Tagged:
With: 0 Comments
A company wants to deploy a new public web application on AWS.The application includes a web server tier that uses Amazon EC2 instances.The application also includes a database tier that uses an Amazon RDS for MySQL DB instance.The application must be secure and accessible for global customers that have dynamic IP addresses.

How should a solutions architect configure the security groups to meet these requirements?

Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.

Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.

Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the IP addresses of the customers.

Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from 0.0.0.0/0.

Explanations:

This configuration allows secure inbound traffic on port 443 (HTTPS) from all global users, which is necessary for a public web application. It also restricts database access to only the web servers by allowing inbound traffic on port 3306 (MySQL) from the web server security group, which is a best practice to limit direct access to the database.

While this option allows inbound traffic on port 443 from customer IP addresses, it fails to account for dynamic IPs, which may change frequently. Therefore, it may inadvertently block legitimate users. Additionally, it does allow the database to accept connections only from the web servers, which is correct, but the web servers’ security group should not restrict access to specific customer IPs.

Similar to option B, this configuration allows inbound traffic on port 443 from specific customer IP addresses, which is problematic due to the dynamic nature of those IPs. Furthermore, allowing the database to accept inbound traffic on port 3306 from customer IPs poses a significant security risk, exposing the database directly to the internet.

This option opens both the web server and database to all IPs (0.0.0.0/0), which is a serious security concern. While it does enable access for users, it also leaves the database completely exposed to the internet, making it susceptible to attacks and unauthorized access. This configuration is not secure for a production environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × 1 =