Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 406 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 406
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet. The web servers in the public subnet must be open to the internet on port 443. The Amazon RDS for MySQL DB instance in the database subnet must be accessible only to the web servers on port 3306.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306.
  • B. Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 3306.
  • C. Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.
  • D. Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306.
  • E. Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers’ security group on port 3306.
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
by [deleted] at March 10, 2023, 5:19 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Guru4Cloud
Highly Voted 1 year, 1 month ago
Selected Answer: CD
Remember guys that SG is not used for Deny action, just Allow
upvoted 7 times
...
waldirlsantos
Most Recent 6 months ago
Selected Answer: CD
The following are the default rules for a security group that you create: Allows no inbound traffic Allows all outbound traffic
upvoted 2 times
...
TariqKipkemei
11 months, 3 weeks ago
Selected Answer: CD
'must be accessible only to the web servers' is the key here. Option B almost threw me off, but with this then all that exists in the public subnet would be able to access the DB security group. Therefore C,D well applies the principle of least privilege.
upvoted 4 times
...
datmd77
1 year, 5 months ago
Selected Answer: CD
Remember guys that SG is not used for Deny action, just Allow
upvoted 4 times
...
Buruguduystunstugudunstuy
1 year, 6 months ago
Selected Answer: CD
To meet the requirements of allowing access to the web servers in the public subnet on port 443 and the Amazon RDS for MySQL DB instance in the database subnet on port 3306, the best solution would be to create a security group for the web servers and another security group for the DB instance, and then define the appropriate inbound and outbound rules for each security group. 1. Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443. 2. Create a security group for the DB instance. Add a rule to allow traffic from the web servers' security group on port 3306. This will allow the web servers in the public subnet to receive traffic from the internet on port 443, and the Amazon RDS for MySQL DB instance in the database subnet to receive traffic only from the web servers on port 3306.
upvoted 2 times
...
kampatra
1 year, 7 months ago
Selected Answer: CD
CD - Correct ans.
upvoted 2 times
...
Eden
1 year, 7 months ago
I choose CE
upvoted 1 times
...
lili_9
1 year, 7 months ago
CE support @sitha
upvoted 1 times
...
sitha
1 year, 7 months ago
Answer: CE . The solution is to deny accessing DB from Internet and allow only access from webserver.
upvoted 1 times
...
KAUS2
1 year, 7 months ago
Selected Answer: CD
C & D are the right choices. correct
upvoted 1 times
...
KS2020
1 year, 7 months ago
why not CE?
upvoted 2 times
[Removed]
1 year, 7 months ago
Characteristics of security group rules You can specify allow rules, but not deny rules. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
upvoted 2 times
...
kampatra
1 year, 7 months ago
By default Security Group deny all trafic and we need to configure to enable.
upvoted 4 times
...
...
[Removed]
1 year, 7 months ago
Selected Answer: CD
cdcdcdcdcdc
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel