What should a solutions architect recommend?
Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer. Configure the EC2 instance iptables rules to drop suspicious web traffic. Create a security group for the DB instances. Configure the RDS security group to only allow port 3306 inbound from the individual EC2 instances.
Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer. Move DB instances to the same subnets that EC2 instances are located in. Create a security group for the DB instances. Configure the RDS security group to only allow port 3306 inbound from the individual EC2 instances.
Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer. Use AWS WAF to monitor inbound web traffic for threats. Create a security group for the web application servers and a security group for the DB instances. Configure the RDS security group to only allow port 3306 inbound from the web application server security group.
Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer. Use AWS WAF to monitor inbound web traffic for threats. Configure the Auto Scaling group to automatically create new DB instances under heavy traffic. Create a security group for the RDS DB instances. Configure the RDS security group to only allow port 3306 inbound.
Explanations:
While the approach of securing the RDS instances with a security group that restricts access to only the EC2 instances is valid, it does not incorporate a web application firewall (WAF) to protect against web-based attacks. Additionally, managing suspicious traffic solely with iptables on EC2 instances is less effective than using AWS-native solutions like WAF.
Moving the DB instances to the same public subnet as the EC2 instances exposes them directly to the internet, increasing vulnerability to attacks. The security requirement mandates that DB instances remain secured in private subnets, and simply allowing inbound traffic from EC2 does not mitigate web-based attack risks.
This option is the most comprehensive as it includes the use of AWS WAF to monitor and protect against web-based threats. By maintaining the RDS instances in private subnets and configuring the security group to allow inbound access only from the web application servers, it effectively minimizes the attack surface. This approach aligns with best practices for securing sensitive data.
While this option also incorporates the use of AWS WAF, it incorrectly suggests that the Auto Scaling group should automatically create new DB instances under heavy traffic. RDS Multi-AZ setups do not scale the number of DB instances; rather, they provide high availability and failover capabilities. This could lead to confusion about the capabilities of RDS and doesn’t address the fundamental requirement of securing the DB instances.
I would say the answer is:
Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer. Use AWS WAF to monitor inbound web traffic for threats. Create a security group for the web application servers and a security group for the DB instances. Configure the RDS security group to only allow port 3306 inbound from the web application server security group.