How should a solutions architect configure the security groups to meet these requirements?

By:
On:
In: SAA-C02
Tagged:
With: 0 Comments
A company wants to deploy a new public web application on AWS.The application includes a web server tier that uses Amazon EC2 instances.The application also includes a database tier that uses an Amazon RDS for MySQL DB instance.The application must be secure and accessible for global customers that have dynamic IP addresses.

How should a solutions architect configure the security groups to meet these requirements?

Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.

Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers.

Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers. Configure the security group for the DB instance to allow inbound traffic on port 3306 from the IP addresses of the customers.

Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0/0. Configure the security group for the DB instance to allow inbound traffic on port 3306 from 0.0.0 0/0.

Explanations:

Allowing inbound traffic on port 443 from 0.0.0.0/0 for the web servers enables global access, which is required for a public-facing application. The security group for the database allows traffic only from the security group of the web servers on port 3306, ensuring that only the web servers can access the database securely, preventing direct access from the internet.

Allowing inbound traffic on port 443 from specific customer IP addresses is impractical for a global application where customer IPs are dynamic. This setup would require constant updates to the security group and would not provide accessibility for all users.

Allowing inbound traffic to the database from customer IP addresses is insecure, as it would permit direct access to the database, which should only be accessible by the web server tier. This violates the principle of least privilege and exposes the database to potential threats.

Allowing inbound traffic to the database from 0.0.0.0/0 on port 3306 is highly insecure, as it makes the database publicly accessible from any IP address, increasing the risk of unauthorized access and compromising data security.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 + 10 =