Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 74 discussion

Web Server Rules: Inbound traffic from 443 (HTTPS) Source 0.0.0.0/0 - Allows inbound HTTPS access from any IPv4 address Database Rules : 1433 (MS SQL)The default port to access a Microsoft SQL Server database, for example, on an Amazon RDS instance https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html

EC2 web on public subnets + EC2 SQL on private subnet + security is high priority. So, Option A to allow HTTPS from everywhere. Plus option C to allow SQL connection from the web instance.

HTTPS (443) from the world MS SQL server sock connection in 1433 from the private interfaces of the public web tier servers. Security groups can be added to other security group rules. Hence A,C.

A & C are the only correct options here.

Web server is public: should allow all (0.0.0.0/0) inbound traffic from 443 (HTTPS) MSSQL Server is private: it should only allow inbound traffic from the web tier from 1433. 443 is HTTPS port, so it's not necessary on MSSQL Server.

Ans A, C - allow public access for all input, but control access to database: source 0.0.0.0/0, control access on port 1433 (MS SQL)

SG are blocked by default and stateful so A: Allows inbound traffic from web to the HTTPS default port on web servers B: Outbound is not required if inbound is configured due to stateful nature of SG C: 1433 is SQL default so allow access from web-tier only D: Opens up the database to web on 1433 port E: opens up 443 port unnecessarily on the DB tier so less secure AC is the most secure config

Allow inbound traffic on port 443 from 0.0.0.0/0 on the web tier. Then allow inbound traffic on port 1433 from the security group for the web tier on the database tier.

The security group for the web tier should allow inbound traffic on port 443 from 0.0.0.0/0. This will allow clients to connect to the web tier using HTTPS. The security group for the web tier should also allow outbound traffic on port 443 to 0.0.0.0/0. This will allow the web tier to connect to the internet to download updates and other resources. The security group for the database tier should allow inbound traffic on port 1433 from the security group for the web tier. This will allow the web tier to connect to the database tier to access data. The security group for the database tier should not allow outbound traffic on ports 443 and 1433 to the security group for the web tier. This will prevent the database tier from being exposed to the public internet.

A. This configuration allows external users to access the web tier over HTTPS (port 443). However, it's important to note that it is generally recommended to restrict the source IP range to a more specific range rather than allowing access from 0.0.0.0/0 (anywhere). This would limit access to only trusted sources. C. By allowing inbound traffic on port 1433 (default port for Microsoft SQL Server) from the security group associated with the web tier, you ensure that the database tier can only be accessed by the EC2 instances in the web tier. This provides a level of isolation and restricts direct access to the database tier from external sources.

DB tier: Port 1433 is the known standard for SQL server and should be used. web tier on port 443 (HTTPS)

AC is correct

A & C are the correct answer. Inbound traffic to the web tier on port 443 (HTTPS) The web tier will then access the Database tier on port 1433 - inbound.

AC 443-http inbound and 1433-sql server Security group => focus on inbound traffic since by default outboud traffic is allowed

Security group => focus on inbound traffic since by default outboud traffic is allowed

why both are inbound rules

***CORRECT*** The correct answers are C and E. For security purposes, it is best practice to limit inbound and outbound traffic as much as possible. In this case, the web tier should only be able to access the database tier and not the other way around. Therefore, the security group for the web tier should only allow outbound traffic to the security group for the database tier on the necessary ports. Similarly, the security group for the database tier should only allow inbound traffic from the security group for the web tier on the necessary ports. Answer C: Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier. This is correct because the web tier needs to be able to connect to the database on port 1433 in order to access the data.