Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306.
Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 3306.
Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.
Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306.
Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers’ security group on port 3306.
Explanations:
Network ACLs are used for controlling traffic at the subnet level, but security groups should be used for controlling access to resources like RDS instances.
Security groups for the DB instance should allow traffic from the web servers’ security group on port 3306, not the public subnet CIDR block directly.
Security groups for the web servers should allow incoming traffic from the internet on port 443 to meet the requirement of allowing internet access.
Security groups for the DB instance should allow traffic only from the web servers’ security group on port 3306, ensuring restricted access to the database.
Security groups do not have explicit deny rules. You can only allow traffic, and any non-allowed traffic is implicitly denied.
From what I’ve seen, the answer is:
Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.