Which additional configuration strategy should the solutions architect use to meet these requirements?

By:
In: SAA-C03
Tagged:
With: 2 Comments
A solutions architect is creating a new VPC design.There are two public subnets for the load balancer, two private subnets for web servers, and two private subnets for MySQL.The web servers use only HTTPS.The solutions architect has already created a security group for the load balancer allowing port 443 from 0.0.0.0/0.Company policy requires that each resource has the least access required to still be able to perform its tasks.

Which additional configuration strategy should the solutions architect use to meet these requirements?

Create a security group for the web servers and allow port 443 from 0.0.0.0/0. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.

Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.

Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.

Create a network ACL for the web servers and allow port 443 from the load balancer. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.

Explanations:

This option opens port 443 to all sources (0.0.0.0/0) for web servers, which violates the principle of least privilege. It is preferable to restrict access to the load balancer only.

While network ACLs can control traffic, this option also opens port 443 to all sources for the web servers. Additionally, using network ACLs instead of security groups is less flexible and not necessary for this scenario.

This option correctly allows port 443 only from the load balancer to the web servers, which adheres to the principle of least privilege. It also allows port 3306 only from the web servers to the MySQL servers, which is the intended communication path.

Similar to option B, this option uses network ACLs instead of security groups. It also opens port 443 from the load balancer, but using network ACLs is not ideal for this architecture, as security groups provide better management and flexibility.

2026-03-16

2 Comments

  1. Nicole
    Author

    I estimate that the answer is:
    Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.

  2. Alan
    Author

    I assess that the answer is:
    Create a security group for the web servers and allow port 443 from the load balancer. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × 2 =