What is the MOST restrictive configuration for the DB instance security group?
Only allow incoming traffic from the sg-application-servers security group on port 3306.
Only allow incoming traffic from the sg-application-servers security group on port 443.
Only allow incoming traffic from the subnet of the application servers on port 3306.
Only allow incoming traffic from the subnet of the application servers on port 443.
Explanations:
This option is the most restrictive, as it allows traffic only from the security group associated with the application servers (sg-application-servers) on the specific port for MySQL (3306), ensuring the DB is accessible only by the application servers and not by any other sources.
Port 443 is used for HTTPS traffic, which is not relevant to MySQL database connections. Allowing traffic on port 443 would unnecessarily open the DB to web traffic, which is not needed for MySQL access.
Allowing traffic from the subnet of the application servers on port 3306 is broader than option A, as it includes all resources within the subnet (not just the EC2 instances), potentially exposing the DB to unintended sources within the subnet.
Allowing traffic from the subnet of the application servers on port 443 is not suitable for MySQL access, as MySQL uses port 3306, not port 443, and this would unnecessarily open the DB to web traffic, which is not relevant for MySQL communication.
I systematize that the answer is:
Only allow incoming traffic from the sg-application-servers security group on port 3306.