What must the database administrator do to finish providing connectivity to the reporting application?

By:
In: DBS-C01
Tagged:
With: 1 Comment
A company has a reporting application that runs on an Amazon EC2 instance in an isolated developer account on AWS.The application needs to retrieve data during non-peak company hours from an Amazon Aurora PostgreSQL database that runs in the company’s production account.The company’s security team requires that access to production resources complies with AWS best security practices.A database administrator needs to provide the reporting application with access to the production database.The company has already configured VPC peering between the production account and developer account.The company has also updated the route tables in both accounts with the necessary entries to correctly set up VPC peering.

What must the database administrator do to finish providing connectivity to the reporting application?

Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.

Add an outbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.

Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on all TCP ports. Add an inbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.

Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on all TCP ports.

Explanations:

Adding an inbound rule to the database security group for the developer VPC CIDR on port 5432 allows the reporting application to connect to the Aurora PostgreSQL database on the correct port. The outbound rule on the EC2 security group to allow access to the production VPC CIDR on port 5432 permits return traffic from the database. This follows AWS security best practices by restricting access to the necessary port only.

Outbound rules on both security groups are not sufficient for the reporting application to establish a connection, as there is no inbound rule on the database security group to accept traffic on port 5432.

Allowing inbound access to all TCP ports on the database security group from the developer VPC CIDR does not follow AWS security best practices, as it opens up unnecessary access to the database. Additionally, an inbound rule on the EC2 security group is not needed, as the EC2 instance initiates the connection.

Allowing outbound access on all TCP ports from the EC2 security group is unnecessary and does not follow AWS security best practices, as it opens up excessive access to the production VPC.

2025-09-30

1 Comment

  1. Justin
    Author

    I draft that the answer is:
    Add an inbound security group rule to the database security group that allows access from the developer account VPC CIDR on port 5432. Add an outbound security group rule to the EC2 security group that allows access to the production account VPC CIDR on port 5432.

Leave a Reply to Justin Cancel reply

Your email address will not be published. Required fields are marked *

one × 2 =