Which combination of steps should the solutions architect take to meet these requirements?

Explanations:

Creating a network ACL to deny outbound traffic to 0.0.0.0/0 on port 3306 is not necessary because the security group should control inbound and outbound traffic. The public subnet should not have any restrictions on outbound traffic for port 443, as web servers need to respond to incoming HTTPS requests.

Adding a rule to allow traffic from the public subnet CIDR block on port 3306 is incorrect because the database should not be directly accessible from the public subnet. It should only allow connections from the security group associated with the web servers.

Creating a security group for the web servers that allows traffic from 0.0.0.0/0 on port 443 is correct. This ensures that the web servers can accept HTTPS traffic from any internet source, fulfilling the requirement for public accessibility.

Creating a security group for the DB instance that allows traffic from the web servers’ security group on port 3306 is correct. This ensures that only the web servers can access the database, adhering to the principle of least privilege.

Adding a rule to deny all traffic except traffic from the web servers’ security group on port 3306 is incorrect. While restricting access to only the web servers is the right approach, security groups inherently deny all traffic by default. Thus, this option is redundant and not the standard way to set up security groups.